If my technology firm outsources DevOps, on an asset register (on which to base a risk register) do I need to know make and model of hardware/software used by the outsourcing organisation or is it sufficient to log that the outsourcing organisation represents a risk as they are a third-party?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Expert
Rhand Leal
Sep 20, 2021
In this case, you only need to include in the asset register the outsourcing organization as a service provider.
Risks related to the outsourcing organization (i.e., risks related to hardware/software used by them) you can handle through the supplier security policy.
These articles will provide you a further explanation of asset register and supplier security:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Sep 20, 2021
Sep 20, 2021
Sep 20, 2021