Queries on Risk register

1 - Another question I have is regarding the server portion of the risk register, which is found, for instance, in IT and communication equipment. How should this part be defined from a general standpoint? We have added several assets that were relevant to our organization; for example, we have added AWS Infrastructure, Google Infrastructure, Office IT Infrastructure, and Microsoft Infrastructure. Would you kindly help us with this? Therefore, do we need to define this as an infrastructure as a whole or do we need to add different assets that are applicable to the organization? 

Please note that additional assets would be required only if you need more detailed information to manage risks related to specific assets. 

For smaller companies we suggest not adding additional assets, to keep things simple. 

If you need more detailed information, please see the examples below. 

If your Google Infrastructure is used by two different business units, Sales and R&D, then maybe you should add specific assets like “Google Infrastructure – Sales Servers” and “Google Infrastructure – R&D Servers” so you can handle related risks in different ways.

Laptops are another example. If laptops from Sales and R&D have different risks, then you should consider creating assets like “Sales laptops” and R&D laptops”, so you can handle specific risks for each asset.

For further information, see:

• Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

2 - Another issue is that third-party off-the-shelf applications are available for software and databases in a Risk Register. Since we use third-party programs like Phabricator, Microsoft Office 365, container hosts, virtual machines, containers, Jenkins, and virtual machines (Windows), we must decide whether to define each one specifically or to categorize them in general terms with a single category as Infrastructure. Could you please explain to me how we should define? 

Could you kindly let me know if we need to define different categorized products with Assets and then specify with the vulnerabilities associated to that specific asset in the Risk register for internally developed software?

Please note that the use of one or more categories will depend on the assessed risks. In case the assets are related to the same risks, then they can be combined in a single category. In case there are assets with specific risks, then you should consider grouping them in different categories, so you can treat the different risks as the best fit.