Filling asset inventory
You told me that listing the consequences inside the Asset Inventory comes out of the Risk Assessment Table and isn’t mandatory (but best practice). So far I totally got it and it makes more sense as the comment says before. But here is the thing: If I take the asset "top management" for example, I have for one asset different consequences inside the Risk Assessment Table, cause I have more than one vulnerability and threat. One asset with two different consequence-levels. The Asset Inventory consists of the asset „top management“ but needs just one consequence-level, right(?) Or shall I put both consequence-levels for one asset inside the Asset Inventory?
Assign topic to the user
ISO 27001 RISK ASSESSMENT TABLE
Implement risk register using catalogues of vulnerabilities and threats.
Get it now 
ISO 27001 RISK ASSESSMENT TABLE
Implement risk register using catalogues of vulnerabilities and threats.
Get it now
ISO 27001 RISK ASSESSMENT TABLE
Implement risk register using catalogues of vulnerabilities and threats.
Get it now
Answer:
First is important to note that both approaches are acceptable, but to keep your inventory less complex we recommend you to list only the highest impact associated to an asset.
Comment as guest or Sign in
Sep 09, 2019