ISO 27001 Asset Management and Information Classification
Assign topic to the user
The relation between them is that information classification policy is applied to the assets considered relevant to the ISMS scope, and these are identified and managed through the asset management process.
But please note that neither the Information Classification Policy and the Assessment Management Process, as well as information labeling, are prescribed by ISO 27001. They are only needed if there are relevant risks, or legal requirements, demanding their implementation.
Considering that, and your started scenario, information, and processes are also assets (you can add, for example, the categories "information" and "processes"), and the other stated assets also need to be classified (as Confidential, Restricted, or Internal use).
In case you have an asset like a laptop storing information with different classifications, you must use the highest classification to classify the laptop (in your case the laptop is to be considered confidential).
For further information, see:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
Sep 16, 2020