ISO 27001/Conformio questions

1. The Risk Register flow seems to be inverted. Can you explain why vulnerability comes before the threat? We were under the impression that we would first need to evaluate the threats related to assets, and then the vulnerabilities.

Please note that threats are relevant only if there are vulnerabilities to be explored by them (for example, it does not make sense to think about controls to protect paper documents if you only handle digital media).

Considering that, by identifying vulnerabilities first you reduce the scope of threats that you need to consider, reducing effort and speeding up the risk assessment and treatment process.

2. Regarding the inventory of assets - in Conformio we have a list of general assets, like computers, but we would like to have a separate document with a list of all the assets within our company, such as which types of computers we use. Is this needed for the successful implementation?

ISO 27001 does not prescribe the level of detail of the register of assets, so organizations can define the detail level that fulfills their needs.

The list of assets provided by Conformio is sufficient for certification purposes, but you can add your own assets in the Conformation asset list or create and include in the documentation your won list of assets.

This article will provide you with further explanation about the asset register:

• Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/