Hi Dejan,
thank’s for your email.
Whith a co-worker, head of quality service, we’re approaching the world of iso 27001 certification.
Your’re website and your documentation is very useful!
One question about practical approach of ISO 27001. In the annex A.8.1.1, it’s mandatory manage asset inventory. How do you do this? Or how do you suggest that a company that wants to be certified iso 27001 approach this task?
Have you any suggestion of a tool that allows an automated inventory in compliance with the ISO requirements?
Because doing it manually I think it is a big problem for those who have a few hundred users.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1 - One question about practical approach of ISO 27001. In the annex A.8.1.1, it’s mandatory manage asset inventory. How do you do this? Or how do you suggest that a company that wants to be certified iso 27001 approach this task?
Answer: Please note that any control from ISO 27001 Annex A is mandatory only if you have relevant risks, legal requirements (e.g., laws, regulations, or contracts), or top management decision, demanding the application of such control.
In case that none of the above situations occurs, then you do not need to implement a control.
In case you need to implement the asset inventory, you should consider:
- interview the head of each department, and list all the assets a department uses.
- identify if you already have some existing asset inventories (e.g. fixed asset register, employee list, licensed software list, etc.), that can be used (you don’t have to duplicate those lists – the best would be to refer to your other lists from your information security Asset register).
- define the details that must be listed in the asset inventory (ISO 27001 does not prescribe which ones to use, so you can list only the asset name and its owner, but you can also add some other useful information, like asset category, its location, some notes, etc.)
To see how an asset register compliant with ISO 27001 looks like, see a template demo on this link: https://advisera.com/27001academy/documentation/inventory-of-assets/
These articles will provide you a further explanation about the asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- Asset List for ISO 27001 Risk Assessment (MS Word) https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/
2 - Have you any suggestion of a tool that allows an automated inventory in compliance with the ISO requirements? Because doing it manually I think it is a big problem for those who have a few hundred users.
Answer: It's our policy not to make recommendations about technologies or products, but what I can say to you is that the size of the asset register is not directly related to the number of users.
For example, you do not need to include in the asset register individual PCs or laptops. You can use a single asset called "user laptop", or split this asset according to some criteria, like "user laptop", "development laptop", "sales laptop", etc.
Comment as guest or Sign in
Nov 25, 2020