Inventory of assets & risk methodology
1. How detailed and far does the inventory of assets need to be? (do we need to list each laptop and cell phone for example)
2. When a risk assessment is performed does the risk owner have to do a risk assessment on all the assets every year or the assets that are deemed to be threats or vulnerable.
3. Why is the inventory of assets not listed under the reference document as well as 3.1.2 in the Risk assessment and risk treatment Methodology document?
Assign topic to the user
1. How detailed and far does the inventory of assets need to be? (do we need to list each laptop and cell phone for example)
ISO 27001 does not prescribe any level of detail for the inventory of assets, so you can adopt the levels you understand that will better fulfill your needs.
This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations laptops as individual assets (you can add a single asset called "laptop"), but if they have specific purposes with different risk levels you can use specific assets like "laptop", "development laptop", and "finance laptop". The same concept applies to cellphones of your organization and other assets.
For further information, see this article:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
2. When a risk assessment is performed does the risk owner have to do a risk assessment on all the assets every year or the assets that are deemed to be threats or vulnerable.
The update of risk assessment needs to be performed over all assets included in the ISMS scope, at planned intervals (e.g., quarterly, semiannually, annually, etc.) or when significant changes occur (e.g., deployment of new technology, new business, etc.). This is so because changes in the context of the organization may result in assets previously not relevant to become relevant and vice versa, which can affect treated risks and the risk treatment plan.
For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials can also help you:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
3. Why is the inventory of assets not listed under the reference document as well as 3.1.2 in the Risk assessment and risk treatment Methodology document?
Please note that for performing risk assessment and risk treatment you do not need an inventory of assets. The only information you need is assets' names and assets' owners, which can be maintained in the Risk Assessment and Risk Treatment tables, making an inventory of assets unnecessary.
Additionally, the inventory of assets for ISO 27001 is a control (A.8.1.1), and before performing risk assessment and risk treatment it does not make sense to apply a control (at this point there is no identified need for it).
This article will provide you a further explanation of controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
May 17, 2021