Identifying Assets
One of our primary assets is our customer data which must be kept private. This data is primarily stored in an SQL database, but can also be found in printed form, email, staff member’s brains etc.
Since the customer data can take on so many forms the risks are relevant only to the form in which it takes.
So rather than list “customer data” as an asset, would I list each form of the data as separate assets i.e.
- Customer data in SQL database
- Customer data accessible by web application
- Customer data in printed form
- Customer data transmitted verbally
- Customer data in the minds of employees
Assign topic to the user
This is a valid approach, but you need to be careful to not make your asset register unnecessarily complex.
For example, a data loss risk is applicable to all these assets, and with your approach, you will need to create this risk for each asset.
In this case, you may use an asset called “customer data” and include this data loss risk only once and use the specific assets only to specific risks (e.g., SQL injection risk is applicable only to “Customer data in SQL database”).
This will prevent a risk to be repeated only because it also applies to multiple forms that information can be.
This article will provide you with a further explanation about the asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
Dec 09, 2021