Expert Advice Community

Guest

ISO 27001 Asset Management and Information Classification

  Quote
Guest
Guest user Created:   Sep 16, 2020 Last commented:   Sep 16, 2020

ISO 27001 Asset Management and Information Classification

Could you please clarify the relation between having Asset management process in place and Information classification policy.
- Our Assets (Laptop, Desktop, Servers and SW license) and we have defined the full cycle in the process
- Our Information classification is mainly for documents and processes (Confidential, Restricted, Internal use)

Thus I would appreciate it if you can explain/clarify the following points:
- Do we need to classify our Assets or label it as (Confidential, Restricted, Internal use) or do we need to add another category for assets
- Do we need to classify the info on Assets !! but if Laptop (as an asset) has documents confidential and documents restricted ? in this case laptop as an asset

Is considered to be confidential or restricted ?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 16, 2020

The relation between them is that information classification policy is applied to the assets considered relevant to the ISMS scope, and these are identified and managed through the asset management process.

But please note that neither the Information Classification Policy and the Assessment Management Process, as well as information labeling, are prescribed by ISO 27001. They are only needed if there are relevant risks, or legal requirements, demanding their implementation.

Considering that, and your started scenario, information, and processes are also assets (you can add, for example, the categories "information" and "processes"), and the other stated assets also need to be classified (as Confidential, Restricted, or Internal use).

In case you have an asset like a laptop storing information with different classifications, you must use the highest classification to classify the laptop (in your case the laptop is to be considered confidential).

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 16, 2020

Sep 16, 2020

Suggested Topics

Guest user Created:   Jun 23, 2021 ISO 27001 & 22301
Replies: 5
0 0

ISO 27001 documents

Guest user Created:   Jun 16, 2021 ISO 27001 & 22301
Replies: 1
0 0

Filling documents

Guest user Created:   Mar 30, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISMS Controls