Expert Advice Community

Guest

ISO 27001/Conformio questions

  Quote
Guest
Guest user Created:   Feb 16, 2022 Last commented:   Feb 16, 2022

ISO 27001/Conformio questions

1. The Risk Register flow seems to be inverted. Can you explain why vulnerability comes before the threat? We were under the impression that we would first need to evaluate the threats related to assets, and then the vulnerabilities. 2. Regarding the inventory of assets - in Conformio we have a list of general assets, like computers, but we would like to have a separate document with a list of all the assets within our company, such as which types of computers we use. Is this needed for the successful implementation?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 16, 2022

1. The Risk Register flow seems to be inverted. Can you explain why vulnerability comes before the threat? We were under the impression that we would first need to evaluate the threats related to assets, and then the vulnerabilities.

Please note that threats are relevant only if there are vulnerabilities to be explored by them (for example, it does not make sense to think about controls to protect paper documents if you only handle digital media).

Considering that, by identifying vulnerabilities first you reduce the scope of threats that you need to consider, reducing effort and speeding up the risk assessment and treatment process.

2. Regarding the inventory of assets - in Conformio we have a list of general assets, like computers, but we would like to have a separate document with a list of all the assets within our company, such as which types of computers we use. Is this needed for the successful implementation?

ISO 27001 does not prescribe the level of detail of the register of assets, so organizations can define the detail level that fulfills their needs.

The list of assets provided by Conformio is sufficient for certification purposes, but you can add your own assets in the Conformation asset list or create and include in the documentation your won list of assets.

This article will provide you with further explanation about the asset register:

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Feb 16, 2022

Feb 16, 2022

Suggested Topics