Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Identifying Assets

  Quote
Guest
Guest user Created:   Dec 09, 2021 Last commented:   Dec 09, 2021

Identifying Assets

One of our primary assets is our customer data which must be kept private. This data is primarily stored in an SQL database, but can also be found in printed form, email, staff member’s brains etc. 

Since the customer data can take on so many forms the risks are relevant only to the form in which it takes. 

So rather than list “customer data” as an asset,  would I list each form of the data as separate assets i.e. 

  1. Customer data in SQL database
  2. Customer data accessible by web application
  3. Customer data in printed form
  4. Customer data transmitted verbally
  5. Customer data in the minds of employees
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 09, 2021

This is a valid approach, but you need to be careful to not make your asset register unnecessarily complex.

For example, a data loss risk is applicable to all these assets, and with your approach, you will need to create this risk for each asset.

In this case, you may use an asset called “customer data” and include this data loss risk only once and use the specific assets only to specific risks (e.g., SQL injection risk is applicable only to “Customer data in SQL database”).

This will prevent a risk to be repeated only because it also applies to multiple forms that information can be.

This article will provide you with a further explanation about the asset register:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 09, 2021

Dec 09, 2021

Suggested Topics