I am in the process of identifying assets for our organization. I ended up identifying several key IT s ervices which enable various business processes. For example:
IT Service: EMAIL
Information Assets: Supports Communication and storage of Customer Information
Application: MS Exchange
OS: Windows Server 2008 r2
Hardware: HP DL380
In my risk assessment where do I reference the IT Service and Information Assets line, or are they just ignored? Should I reference them in any other documents? I thought this was a helpful way to group as it shows relationships.
From my point of view, you should not ignore the IT service, you can identify it as an asset of type service, and assign to it threats/vulnerabilities (in accordance with your methodology). You can reference this type of asset in the same document that you already have, I mean, in your asset inventory.
Finally, do you need information about threats and vulnerabilities that can affect to your assets? This article can be interesting for you Catalogue of threats & vulnerabilities : http://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Can be interesting for you these articles: