Risk and asset owner

camara y videograbador de CCTV
propietario del riesgo: el responsable de mantenimiento
propietario del activo: el responsable de IT
Pero: queremos transferir el riesgo a una empresa externa que sera ademas, la responsable del mantenimiento diario y aplicaremos los controles posteriores.

Me puedes confirmar si es posible realizarlo de esta forma con algunos activos?

(Hello, I have a doubt in the risk analysis. Can I have 1 asset, with 1 owner of the risk, other than the owner of the asset and then also transfer the risk of this asset, to a third party? for example:

CCTV camera and video recorder
risk owner: the person responsible for maintenance
asset owner: the IT manager
But: we want to transfer the risk to an external company that will also be responsible for daily maintenance and we will apply the subsequent c ontrols.

Can you confirm if it is possible to do it this way with some assets?)

Answer:

Your assumption is correct. You can have the risk owner as a different person from the asset owner and transfer the risk is an acceptable risk treatment option

These articles will provide you further explanation about asset and risk owner and risk treatment option:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/