List of assets

So, the question is how deep should we go into assets that contain other similar assets, and if we should take a building as an asset when we can detail it into smaller parts that could somehow be put together as a whole… I´m probably not explaining myself so well, I hope you will understand as probably this one is a recurring question.
To what extent is up to us to choose the level of detail? How much this will depend on external audit?

Answer:

The quantity of assets and their level of details is totally up to the organization. The external auditor will only verify if your arrangement can provide enough confidence that all relevant risks are being properly assessed and treated.

As tips for handling the asset inventory, you only have to increase the level of details if you identify that by this way you can improve security, or have more efficient operation with acceptable risks. For example, you can have a building as a single asset, but if you identify that a room need extra security in that building, you can have two different assets (i.e., the building and the specific room). On the other hand, if you have similar assets that can share the same control, you can group them in a single asset. For example, laptops, tablets and smartphones can be grouped as an asset name "Mobile devices".

Other examples are network (that can be divided on cabling, switches, firewalls, etc.), and roles in the organization (the different roles can be grouped like users, technical staff, and managers).

This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/