I have a question about listing assets for the risk assessment. Is it acceptable to list similar assets under a single asset item (e.g. "laptops") instead of listing every item individually?
Assuming this might be ok, is it then acceptable to add more specific items to the same list. E.g. "All Dell laptops" or "Jane Smith's laptop"? Otherwise it seems that the list of assets and risk assessment items could easily grow to impractical or unmanageable proportions.
Answer:
Yes, you can create group of assets, for example laptops if they have the same threats/vulnerabilities and also the same risk. Regarding your second question, you need to take care, because you can have laptops located in others facilities or other companies- which can have different threats/vulnerabilities and risks, so in this case you cannot include them in the same group laptops. It is also important to think about the data that the laptop has: If Jane Smith is for example the head of HR Department, maybe has confidential information (which is not in oth er laptop) and is critical for the business. So from my point of view in this case will be better to have an individual asset.
This article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
Jan 13, 2016