SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

List of assets

  Quote
Guest
Guest user Created:   Dec 13, 2018 Last commented:   Dec 13, 2018

List of assets

My question regards to how thorough the list of assets should be. With an example; in our data center there´s data rooms, offices and so on. Even one of the stories is empty and might eventually be rented to some other company. I understand that we should make a difference among offices, data rooms, electrical – cooling – other infrastructure rooms inside of the building, since there´s different threats and vulnerabilities to each one of them that should be addressed differently and with different access levels and permissions.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 13, 2018
So, the question is how deep should we go into assets that contain other similar assets, and if we should take a building as an asset when we can detail it into smaller parts that could somehow be put together as a whole… I´m probably not explaining myself so well, I hope you will understand as probably this one is a recurring question.
To what extent is up to us to choose the level of detail? How much this will depend on external audit?

Answer:

The quantity of assets and their level of details is totally up to the organization. The external auditor will only verify if your arrangement can provide enough confidence that all relevant risks are being properly assessed and treated.

As tips for handling the asset inventory, you only have to increase the level of details if you identify that by this way you can improve security, or have more efficient operation with acceptable risks. For example, you can have a building as a single asset, but if you identify that a room need extra security in that building, you can have two different assets (i.e., the building and the specific room). On the other hand, if you have similar assets that can share the same control, you can group them in a single asset. For example, laptops, tablets and smartphones can be grouped as an asset name "Mobile devices".

Other examples are network (that can be divided on cabling, switches, firewalls, etc.), and roles in the organization (the different roles can be grouped like users, technical staff, and managers).

This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 13, 2018

Dec 13, 2018