ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
I have couple of questions about inventory of assets.
1. Who is owner of asset “People”. Is it HR Manager or the person with whom the contract is signed?
Answer: ISO 27001 does not prescribe who should be the asset owner, but in general, if by contract you refer to an employment contract with an organization, then the asset owner is his/her superior in the organization. On the other hand, if this contract refers to a hired freelancer, consultant or similar, that will work for the organization only for a defined time, and for a specific work, then the asset owner should be the person with whom the contract is signed.
2. As “Asset Owner” can we use Position Name (like CEO, HR Manager) or it should be personalized (John Smith, CEO)
Answer: ISO 27001 does not prescribe how to name the asset owner, so both approaches are acceptable, but in case you have a significant turnover on personnel related as asset owners then you should consider using roles not personal names, because this will reduce the need to update the inventory every time t he responsible person changes.
3. We are paperless company and all our contracts are in electronic form, which are stored on reputable cloud solution. Should we include all contracts in Inventory of Assets in that case?
Answer: Regardless if your contracts are stored on a third-party cloud solution, the contracts still belong to the organization, and if they are relevant to the ISMS scope then they should be listed on the inventory of assets.
4. If we have cabinets/drawers in the office where we do not store any document, should it be included in Inventory of Assets?
Answer: If an asset is not related to the information you want to protect, then it does not need to be included in the inventory of assets.
5. We rent office in technological hub and we are using theirs printer and scanner. Should we include it in inventory?
Answer: If the printers and scanners are part of the service delivered by the technological hub, and are relevant to the ISMS scope, then they should not be included in the inventory as equipment but as a third-party service (e.g., like a printer service), since these equipment are managed by a third-party.
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
May 17, 2019