Guest user Created: Jul 08, 2017 Last commented: Jul 08, 2017

Inventory of assets and risk assessment

I am a bit confused about the order of some of the templates and am hoping you can clarify. I am using the templates in the order you suggest (i.e. starting with folder 00), and am just wondering why the Inventory of Assets comes after the Risk Assessment Table. Could you explain why you wouldn't want to list all assets before proceeding to risk assessment?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jul 08, 2017

Answer: First of all, an inventory of assets is not mandatory according to ISO 27001:2013 (it is a suggested control from Annex A, which may be selected if there is an unacceptable risk that can be treated by its implementation).

Second, some risk assessment approaches are not based on assets for risk identification. Instead, they could be based on some method not related to assets (e.g., scenario based).

Third, for smaller companies that use the asset-based approach for risk assessment it is easier to list all the asset directly into the Risk assessment sheet; later on, they do not need to have a separate Inventory of assets.

This article will provide you further explanation about I nventory of assets and risk assessment:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding Inventory of assets and risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jul 08, 2017

Expert Advice Community