Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

Queries on Risk register

  Quote
Guest
Guest user Created:   Feb 16, 2023 Last commented:   Feb 16, 2023

Queries on Risk register

Another question I have is regarding the server portion of the risk register, which is found, for instance, in IT and communication equipment. How should this part be defined from a general standpoint? We have added several assets that were relevant to our organization; for example, we have added AWS Infrastructure, Google Infrastructure, Office IT Infrastructure, and Microsoft Infrastructure. Would you kindly help us with this? Therefore, do we need to define this as an infrastructure as a whole or do we need to add different assets that are applicable to the organization? 

Another issue is that third-party off-the-shelf applications are available for software and databases in a Risk Register. Since we use third-party programs like Phabricator, Microsoft Office 365, container hosts, virtual machines, containers, Jenkins, and virtual machines (Windows), we must decide whether to define each one specifically or to categorize them in general terms with a single category as Infrastructure. Could you please explain to me how we should define? 

Could you kindly let me know if we need to define different categorized products with Assets and then specify with the vulnerabilities associated to that specific asset in the Risk register for internally developed software?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 16, 2023

1 - Another question I have is regarding the server portion of the risk register, which is found, for instance, in IT and communication equipment. How should this part be defined from a general standpoint? We have added several assets that were relevant to our organization; for example, we have added AWS Infrastructure, Google Infrastructure, Office IT Infrastructure, and Microsoft Infrastructure. Would you kindly help us with this? Therefore, do we need to define this as an infrastructure as a whole or do we need to add different assets that are applicable to the organization? 

Please note that additional assets would be required only if you need more detailed information to manage risks related to specific assets. 

For smaller companies we suggest not adding additional assets, to keep things simple. 

If you need more detailed information, please see the examples below. 

If your Google Infrastructure is used by two different business units, Sales and R&D, then maybe you should add specific assets like “Google Infrastructure – Sales Servers” and “Google Infrastructure – R&D Servers” so you can handle related risks in different ways.

Laptops are another example. If laptops from Sales and R&D have different risks, then you should consider creating assets like “Sales laptops” and R&D laptops”, so you can handle specific risks for each asset.

For further information, see:

2 - Another issue is that third-party off-the-shelf applications are available for software and databases in a Risk Register. Since we use third-party programs like Phabricator, Microsoft Office 365, container hosts, virtual machines, containers, Jenkins, and virtual machines (Windows), we must decide whether to define each one specifically or to categorize them in general terms with a single category as Infrastructure. Could you please explain to me how we should define? 

Could you kindly let me know if we need to define different categorized products with Assets and then specify with the vulnerabilities associated to that specific asset in the Risk register for internally developed software?

Please note that the use of one or more categories will depend on the assessed risks. In case the assets are related to the same risks, then they can be combined in a single category. In case there are assets with specific risks, then you should consider grouping them in different categories, so you can treat the different risks as the best fit.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 16, 2023

Feb 16, 2023