ISO 27001 Implementation- A8 Assets Management

I am documenting the assets inventory template as per the purchased ISO 27001 toolkit.

Under assets category, mostly the INFRASTRUCTURE and OUTSOURCED SERVICES.

1 - In the company, we have workstations, and for each workstation we got different assets like PC, Monitor, keyboard, mouse etc. So my question is while documenting this, should I state the workstation as an asset or should I list all the components mentioned as assets for the document to be ISO 27001 compliant?

Answer: If there is no specific reason to list the individual assets separately you can refer to them as workstation in your inventory. You only have to include in the notes column a comment describing the parts that make up the workstation.

This article will provide you further explanation about assets management implementation:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

2 - My other question concerns the outsourced services, in my case the office space and the data centers are leased from 3rd parties. So is the policies and ISO 27001 certificates enough evidence to be used?

Answer: No. Regarding outsourced services you also should include the contracts or agreements you have with them, which should include clauses covering security measures the outsourced services should fulfil.

This article will provide you further explanation about handling suppliers:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/