ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Question 1: I don't know how to list people as asset, do I just count numbers of workers and write out what they do?
Question 2: Also, wouldn't hw/sw owner be my company? (Since individual departments do not own them) I'm a bit confused about that.
Question 3: After tightening up these documents, do you have a recommendation to how to get ready for the internal audit?
Answers:
Answer 1: It is important. You can make groups of assets, for example, if you have a number of employees in the IT department you can have the asset "IT employees, and you can also add a brief description about this asset (writing out what they do, and also you can include the number of employees). You can do this because all these assets have the same threats/vulnerabilities and also the same risks, so the logical is to group them. Maybe these articles can be interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ . How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ And also this free webinar The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Answer 2: From my point of view it is not recommendable, the asset owner should be an employee that manages the asset on a day-to-day basis, for example the IT administrator. But you can also assign as risk owner the head of a department. For more information about this, please read this article Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Answer 3: Yes, my recommendation is to review the main steps of the implementation process to know if all are completed. This article can be useful for you ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ You can also review if you have all mandatory documents required by ISO 27001:2013, so please read this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Comment as guest or Sign in
Jan 12, 2016