We are now making Assets Inventory and Risk Assessment.
We’ve listed now about 100 Assets, 33 of them are cloud services.
I have a couple of questions:
1. Some of the cloud services we are using are already ISO 27001 certified (like AWS, e.g., or some service hosted in AWS). Does that have any meaning for us?
2. Do we still have to consider Risks for that cloud services as well?
3. Could we group the Assets so that they become more manageable? E.g. one group: Cloud services, and perform the Risk Assessment for this group, or divide it to SaaS and IaaS groups.
4. Who should be the Asset Owner of Operating System – the user? And the Risk Owner is the System Administrator?