Would an onsite pbx system be an asset to assess in a risk assessment?
Answer:
Yes, you can consider the pbx system as an asset in the risk assessment, because there are risks related to it, but for this, obviously this system need to be included in the scope of the ISMS. Anyway, from my point of view you need to consider, as independent assets, the software, the hardware and the information related to the pbx system.
Do you know the threats/vulnerabilities that can affect to the pbx system? Please see this article Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Finally, maybe this article can be interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
We have received another question related to the PBX system:
>
When you say "Anyway, from my point of view you need to consider, as independent assets, the software, the hardware and the information related to the pbx system."
Could you please elaborate on what you mean by consider? Do you mean to look at the threats for all three of those components of the PBX?
Answer:
I mean that the PBX system really is composed by, for example:
- Asterisk (Software)
- Server HP DL 380 (Hardware where the software is installed)
- Register of information related to the calls (Information that the software stores in his data base)
So as you see there are 3 different assets related to the PBX system, and you can identify threats/vulnerabilities related to each one.
This article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
Jan 12, 2016