Should we include the (private) devices (mobile phones) of our employees in the asset register? In the scope document we have referenced that all assets in the asset register are within the scope. The employees access e-mails via the outlook app and therefore have information of the company on their devices. Is there any up/downside to adding the mobile devices? It would be around 20 devices.
By including private devices in your asset register would mean that all information on them (both company and private) would have to be treated according company security rules, and this will add unnecessary effort and complexity to your ISMS (because users' private data).
A better approach would be not include the private devices in your asset register and identify the risk that business data can be accessed by private devices. This way you can focus on protecting only the business data, and this can be done by means of implementing a BYOD policy.