To start, during our last discussion you mentioned we could email you with any questions we have. If your inbox isn’t the right place to direct these to, please let me know the alternative address.
I had two general questions:
(1) Our product as a service platform can be thought of containing multiple modules (this is primarily a marketing and sales spin). Each module can be thought to perform a different feature (i.e. dashboard module, data dissemination module, data transformation module) but these are all driven by a single code base. When doing the risk assessment, should these be thought of as separate assets? Or should they be represented by a single asset (i.e. *** platform)?
(2) The scope of our ISO is the "handling of customer data (ingestion, storage, dissemination)”. In the risk matrix, we’ve already called out assets (and done the threat/vulnerability breakout) including:
- data centers
- mobile phones
- application software (codebase)
- licensed application
Is there value to auditors to specifically call out assets for each of ingestion/storage/dissemination? Or should they be worked into the existing assets (i.e. ingestion would exist under datacentres). Ingestion / storage / dissemination are technically “processes” (not assets) so on one hand I’m hesitant to list them as assets, but on the other hand they are important portions of the scope and so calling them out might help the focus of the audit. Can you share your thoughts on this?