Responsible for personnel
Assign topic to the user
In this document, you have to determine the inventory of assets, risk owner and owner of the asset.
I have identified the group of assets: People, which includes the following assets:
Steering committee
Internal staff
External people in internships and interns
External part-time employees
External people visiting the organization
In the case of people, for example, who would be responsible for the asset and who would be responsible for the risk?
Answer:
ISO 27001 does not prescribe who should be the asset owner, but in general:
- for personnel with contract with an organization, the asset owner is his/her superior in the organization.
- for personnel hired only for a defined time, or for a specific work, the asset owner should be the person with whom the contract is signed.
- for personnel like visitors, the owner is the person of the organization to whom this visitor will interact with .
As for the risk owner, this one should be someone related to physical security, since most of the related risks to personnel are related to physical access to assets and information.
This article will provide you further explanation about risk owners:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Comment as guest or Sign in
Jul 13, 2019