CONFORMIO - Assets management

Please note that when you perform a risk assessment on a group of assets it means that they share the same risk characteristics, like threats, vulnerabilities, likelihood, etc.

For example, a category called “computer” can have as individual assets servers, desktops, and laptops. In case you assess risk for the category computer, it means that all individual assets have the same risk, so you do not need to assess each individual asset.

Assessing an individual asset would be needed only if you have a risk specific (i.e., different threats, vulnerabilities, likelihood, etc.) for an individual asset in the category. For example, the risk of laptop theft could be different from the risk of server theft, so it may be interesting for the organization to perform risk assessments specifically for laptops.

Considering that, to perform the risk assessment in Conformio for specific assets, you only need to go a step further in the identification of the assets (i.e., you can add a new asset choosing one of the assets included in the “computer” category).

In case you want to assess two kinds of laptops separately, because they have different risks (e.g., financial laptop and development laptop), you would need to add two assets, and name them e.g., "financial laptop" and “development laptop”, and do the risk assessment.