Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Information asset in ISO 27001:2013

For your information, we are now in the progress of transitioning from ISO 27001:2005 to ISO 27001:2013. In the past, we did risk assessment and treatment plan for all types of assets like hardware, software, documents, infrastructure, people. Now, in ISO 27001:2013, can I continue doing risk assessment based on mentioned assets above? Is it OK if we exclude hardware, infrastructure, and people from the risk assessment?

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Yes, with the ISO 27001:2013 you can continue doing the risk assessment based on hardware, software, documents, infrastructure and people.

If you choose to continue using the asset-based risk assessment, then you cannot exclude hardware, infrastructure and people from the risk assessment because those are very important assets.

My recommendation: maintain these types of assets, but please keep in mind that the important here is the identification of threats/vulnerabilities that can affect to the organization (and the risk), and you can define the types that you need in your business. In the ISO 27005 you can see an example of type of assets.

This article will also help you: What has changed in risk assessment in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community