Expert Advice Community

Guest

Risk Register & BYOD

  Quote
Guest
Guest user Created:   May 13, 2023 Last commented:   May 13, 2023

Risk Register & BYOD

Our company develops software for the school management. We have a private office in a co-working space. We have employees but we are also working with freelancers. They are working from home all around the world. I have some questions about the assets for the risk register. My first question is about infrastructure assets: do we have to include the private office of Singapore co-working space? What about air conditioning, power supply...? Also same question about the co-working space in London. By extension, we have a BYOD policy. Do we need to include personal laptops and smartphones in the assets? We are using a virtual server from a third-parties provider (2 in Europe, and 1 in Singapore). Should we include these virtual servers in the assets? We have a website. Is it an asset? I saw in the list of assets: proprietary data. Could you give me an example of what it could be for us?

Assign topic to the user

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

Expert
Rhand Leal May 13, 2023

1 - My first question is about infrastructure assets: do we have to include the private office of Singapore co-working space? What about air conditioning, power supply...? Also same question about the co-working space in Site B.

Answer: You should consider the co-working spaces as an outsourced service in your asset register (you can add a new asset like “co-working space provider”). Air conditioning, power supply, and other assets related to the co-working space should not be included (all these are provided by the co-working space provider).

2 - By extension, we have a BYOD policy. Do we need to include personal laptops and smartphones in the assets? 

Answer: If private assets (e.g., private laptops, private smartphones, etc.) are used for business purpose, then these should be included in the Risk Register.

3 - We are using a virtual server from a third-parties provider (2 in Site C, and 1 in Site A). Should we include these virtual servers in the assets? 

Answer: Yes, you should include this virtual server as a third-party service.

For further information, see:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

4 - We have a website: ***. Is it an asset? I saw in the list of assets: proprietary data. Could you give me an example of what it could be for us

Answer: Yes, a website is an asset - if you are using a cloud service for hosting your website then you could list something like 'XYZ service for hosting the website'. 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 13, 2023

May 13, 2023

Suggested Topics

Anna Browne Created:   Feb 13, 2025 ISO 27001 & 22301
Replies: 0
0 0

Edit Risk register

Lajvar Created:   Apr 29, 2024 ISO 27001 & 22301
Replies: 1
0 0

Risk treatment plan