Guest
Inventory of assets and risk assessment
I am a bit confused about the order of some of the templates and am hoping you can clarify. I am using the templates in the order you suggest (i.e. starting with folder 00), and am just wondering why the Inventory of Assets comes after the Risk Assessment Table. Could you explain why you wouldn't want to list all assets before proceeding to risk assessment?
Assign topic to the user
Expert
Rhand Leal
Jul 08, 2017
Answer: First of all, an inventory of assets is not mandatory according to ISO 27001:2013 (it is a suggested control from Annex A, which may be selected if there is an unacceptable risk that can be treated by its implementation).
Second, some risk assessment approaches are not based on assets for risk identification. Instead, they could be based on some method not related to assets (e.g., scenario based).
Third, for smaller companies that use the asset-based approach for risk assessment it is easier to list all the asset directly into the Risk assessment sheet; later on, they do not need to have a separate Inventory of assets.
This article will provide you further explanation about I nventory of assets and risk assessment:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding Inventory of assets and risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Jul 08, 2017
Jul 08, 2017
Jul 08, 2017