In the policy:
Steps and responsibilities for information management are the following:
Step name
1. Entering the information asset in the Inventory of Assets
2. Classification of information
3. Information labeling
4. Information handlingIf classified information is received from outside the organization, [role] is responsible for its classification in accordance with the rules prescribed in this Policy, and this person becomes the owner of such an information asset.
We receive data files very often, are we required to enter each and every one of them into the inventory of assets? That sounds onerous from our perspective, and that inventory would be extremely long and a burden to keep up to date. Is it permissible to instead include a description of the data/file type that we receive ?
Assign topic to the user
ISO 27001 does not prescribe how to built the inventory of assets, so organizations are free to build them the best way to fulfill their needs. In cases like this, you can group files per type (i.e., files that share similar risks), and include only the type as an asset the inventory of assets. For example, you can have an asset called "customer contracts", and others like "project specifications".
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
Mar 19, 2020