Expert Advice Community

Guest

Assets Inventory and Risk Assessment

  Quote
Guest
Guest user Created:   Sep 11, 2020 Last commented:   Sep 11, 2020

Assets Inventory and Risk Assessment

We are now making Assets Inventory and Risk Assessment.

We’ve listed now about 100 Assets, 33 of them are cloud services.

I have a couple of questions:

1. Some of the cloud services we are using are already ISO 27001 certified (like AWS, e.g., or some service hosted in AWS). Does that have any meaning for us?

2. Do we still have to consider Risks for that cloud services as well?

3. Could we group the Assets so that they become more manageable? E.g. one group: Cloud services, and perform the Risk Assessment for this group, or divide it to SaaS and IaaS groups.

4. Who should be the Asset Owner of Operating System – the user? And the Risk Owner is the System Administrator?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 11, 2020

1. Some of the cloud services we are using are already ISO 27001 certified (like AWS, e.g., or some service hosted in AWS). Does that have any meaning for us?

ISO 27001 certified suppliers will make the management of your risks related to them easier because your organization and these suppliers will have a common base to manage information security risks (e.g., they will have an SoA that can make easier to you to evaluate how they treat risks relevant to your organization).

For further information, see:

2. Do we still have to consider Risks for that cloud services as well?

If these cloud services store or process information that is part of your ISMS scope, then the risks related to them need to be considered (e.g., a disaster can hit their sites, or a cyberattack, that can compromise your information that is with them). In this situation, any related treatment will be a part of contracts or terms of service you have with these suppliers.

These articles will provide you a further explanation about ISMS scope considering cloud services and management of suppliers:

3. Could we group the Assets so that they become more manageable? E.g. one group: Cloud services, and perform the Risk Assessment for this group, or divide it to SaaS and IaaS groups.

The short answer is yes.

ISO 27001 does not prescribe how to build the asset register, so you can define it as better fits your organization.

In your case, you can group assets, or uses them individually, the way you understand will better fulfill your needs. For example, if you have several laptops with the same level of risks you do not need to list them individually, you can have a single asset called "laptop". In case you have laptops with a different risk level, such as laptops from a development and maintenance department, you can create an asset called "development laptops".

In short, you should consider splitting assets in details when they require different levels of protection.

This article will provide you a further explanation about assets register:

4. Who should be the Asset Owner of Operating System – the user? And the Risk Owner is the System Administrator?

First is important to note that ISO 27001 does not prescribe who the asset owner must be, so organizations are free to define the asset owners as best fit them.

Considering that, as a good practice, you should consider as the asset owner the first management level with responsibility for protecting and managing the asset, because this will make the decisions about the asset faster and more effective.

For example, if the asset is a server, the owner should be the server's administrator. In the case of laptops, you should consider the asset owner the laptop user.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 11, 2020

Sep 11, 2020