Expert Advice Community

Guest

Inventory of assets & risk methodology

  Quote
Guest
Guest user Created:   May 17, 2021 Last commented:   May 17, 2021

Inventory of assets & risk methodology

1. How detailed and far does the inventory of assets need to be? (do we need to list each laptop and cell phone for example)

2. When a risk assessment is performed does the risk owner have to do a risk assessment on all the assets every year or the assets that are deemed to be threats or vulnerable.

3. Why is the inventory of assets not listed under the reference document as well as 3.1.2 in the Risk assessment and risk treatment Methodology document?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 17, 2021

1. How detailed and far does the inventory of assets need to be? (do we need to list each laptop and cell phone for example)

ISO 27001 does not prescribe any level of detail for the inventory of assets, so you can adopt the levels you understand that will better fulfill your needs.

This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations laptops as individual assets (you can add a single asset called "laptop"), but if they have specific purposes with different risk levels you can use specific assets like "laptop", "development laptop", and "finance laptop". The same concept applies to cellphones of your organization and other assets. 

For further information, see this article:

These materials will also help you regarding:

2. When a risk assessment is performed does the risk owner have to do a risk assessment on all the assets every year or the assets that are deemed to be threats or vulnerable.

The update of risk assessment needs to be performed over all assets included in the ISMS scope, at planned intervals (e.g., quarterly, semiannually, annually, etc.) or when significant changes occur (e.g., deployment of new technology, new business, etc.). This is so because changes in the context of the organization may result in assets previously not relevant to become relevant and vice versa, which can affect treated risks and the risk treatment plan.

For further information, see:

These materials can also help you:

3. Why is the inventory of assets not listed under the reference document as well as 3.1.2 in the Risk assessment and risk treatment Methodology document?

Please note that for performing risk assessment and risk treatment you do not need an inventory of assets. The only information you need is assets' names and assets' owners, which can be maintained in the Risk Assessment and Risk Treatment tables, making an inventory of assets unnecessary.

Additionally, the inventory of assets for ISO 27001 is a control (A.8.1.1), and before performing risk assessment and risk treatment it does not make sense to apply a control (at this point there is no identified need for it).

This article will provide you a further explanation of controls selection:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 17, 2021

May 17, 2021