Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Risk Assessment

  Quote
Guest
Guest user Created:   May 25, 2020 Last commented:   Jun 18, 2020

Risk Assessment

To start, during our last discussion you mentioned we could email you with any questions we have.  If your inbox isn’t the right place to direct these to, please let me know the alternative address.

I had two general questions:

(1) Our product as a service platform can be thought of containing multiple modules (this is primarily a marketing and sales spin).  Each module can be thought to perform a different feature (i.e. dashboard module, data dissemination module, data transformation module) but these are all driven by a single code base.  When doing the risk assessment, should these be thought of as separate assets?  Or should they be represented by a single asset (i.e. *** platform)?

(2) The scope of our ISO is the "handling of customer data (ingestion, storage, dissemination)”.  In the risk matrix, we’ve already called out assets (and done the threat/vulnerability breakout) including:
- employees
- contractors
- management
- office
- data centers
- network
- laptops
- mobile phones
- application software (codebase)
- licensed application

Is there value to auditors to specifically call out assets for each of ingestion/storage/dissemination?  Or should they be worked into the existing assets (i.e. ingestion would exist under datacentres). Ingestion / storage / dissemination are technically “processes” (not assets) so on one hand I’m hesitant to list them as assets, but on the other hand they are important portions of the scope and so calling them out might help the focus of the audit.   Can you share your thoughts on this?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 25, 2020

To start, during our last discussion you mentioned we could email you with any questions we have.  If your inbox isn’t the right place to direct these to, please let me know the alternative address.

You can post your questions directly in our community at this site: https://community.advisera.com/
In case you have a more sensitive question you can send it through my email.

Our product as a service platform can be thought of containing multiple modules (this is primarily a marketing and sales spin).  Each module can be thought to perform a different feature (i.e. dashboard module, data dissemination module, data transformation module) but these are all driven by a single code base.  When doing the risk assessment, should these be thought of as separate assets?  Or should they be represented by a single asset (i.e. *** platform)?

You can start the risk assessment considering then as a single asset (i.e., your platform), identifying all common risks. In case there are specific risks related to specific modules, then in these cases you should include these specific modules as separate assets, identifying for them only the specific risks to each module. This approach will optimize your effort during the risk assessment and risk treatment.

For example, in a scenario with multiple laptops, you can start the risk assessment with the asset "laptop", but if during the assessment you identify a risk related only to laptops used for software development, then you can include a second asset, called "development laptops", and related it to this specific asset.

 For further information, see:

The scope of our ISO is the "handling of customer data (ingestion, storage, dissemination)”.  In the risk matrix, we’ve already called out assets (and done the threat/vulnerability breakout) including:
- employees
- contractors
- management
- office
- data centers
- network
- laptops
- mobile phones
- application software (codebase)
- licensed application

Is there value to auditors to specifically call out assets for each of ingestion/storage/dissemination?  Or should they be worked into the existing assets (i.e. ingestion would exist under datacentres). Ingestion / storage / dissemination are technically “processes” (not assets) so on one hand I’m hesitant to list them as assets, but on the other hand they are important portions of the scope and so calling them out might help the focus of the audit.   Can you share your thoughts on this?

I'm thinking you are missing a couple of critical asset types in your list: information and data.

These categories cover information spoken by persons, and data on physical and electronic media. Examples of these assets are contracts, reports, specifications, and "customer data".

Regarding the identification of assets, ISO 27001 does not prescribe how to call assets, only that they must be identified, if control A.8.1.1 (Inventory of assets) is applicable. So, the auditor will not evaluate how you call your assets, only that if you identify relevant assets to your ISMS scope.

This article will provide you a further explanation about auditor approach:

Quote
0 0
Guest
Guest user Jun 17, 2020

Another question for you… We’re a small company (4 F/T) and I’m getting to there last set of documents required - Internal Audit (10), Management Review (11) and Corrective Action (12).  Given that this is our first time, and our stage 1 ISO27001 audit will happen in about a week, is it expected (from the auditor) for our company to have these documents in hand?  Or do companies typically do an internal audit some time after the external audit has happened?  

Quote
0 0
Expert
Rhand Leal Jun 18, 2020

Please note that before the certification audit you need to have evidence that all requirements from ISO 27001 clauses 4 to 10,

 and applicable controls are implemented and working as expected.

Considering that, you need to perform at least one internal audit, covering all requirements and applicable controls, and one management review before the certification audit (corrective action you need to performed only if you identify any nonconformity during the implementation process). The lack of internal audit and management review will make impossible for the certification auditor to start stage 2 of the certification audit.

These articles will provide you a further explanation about the certification audit:

This material will provide you a further explanation about the certification audit:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 25, 2020

Jun 18, 2020