ISO 27001 - Risk Assessment
I’m trying to keep the risk assessment as simple as possible, would it work to group sensitive applications together rather than having them treated as separate assets? For example, rather than having: accounting software, bank payment apps, and ERP software as separate assets could we just group them into sensitive software? If possible I’d like to the same approach with things like admin accounts, user accounts, sensitive digital documents, and sensitive physical documents. In short, are we able to group assets that are alike?
Assign topic to the user
ISO 27001 does not prescribe how to record assets, so you can group assets that share risks and still be compliant with the standard. The only point you have to pay attention to is when recording this set of assets in your risk assessment. You will have to make sure that from the "set of assets" registry you can identify all the assets that form that set, so in the event the set changes you can identify the need for a risk assessment review.
This article will provide you a further explanation about managing assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding managing assets:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Mar 04, 2021