Risk assessment
Assign topic to the user
1. We are a small company, the CIO (me) will be the risk owner for all assets, is that a problem?
Answer: ISO 27001 does not define who must be the risk owner, so a single person can be the owner of all risks. The choice of the risk owner should consider the capability to make decisions about treating the risks and that the quantity of risks do not become excessive to be managed.
For more information, see: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
2. Do I have to include also the private phones of our employees (their mailbox is configured on it and an app for 2 factor authentication)
Answer: If the organization does allow employees to use their own devices to access information included in the ISMS scope, then these personal devices should be included in the risk assessment.
For more information, see: How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advi sera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
3. Do I have to include also the private PC of laptop that they use at home to connect via VPN to an online workplace where the can work from home?
Answer: Like the previous answer, if the organization does allow employees to use their own devices to access information included in the ISMS scope, then these personal devices should be included in the risk assessment.
For more information, see:How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
Comment as guest or Sign in
Nov 08, 2018