Risk Assessment Equipment in the ICT Table
With regards to the Asset Name of ICT Equipment Maintenance in the Risk Assessment Table spreadsheet we purchased, should all ICT equipment be broken out individually in the risk assessment table? Or should they be called out in the Controls Document for th ICT equipment?
Assign topic to the user
First is important to note that ISO 27001 does not prescribe how to identify assets, so organizations are free to identify them as best fit their needs.
Considering that, you can break the ICT Equipment Maintenance in individual assets in case of need (e.g., there is a relevant risk related to a specific asset, like measurement equipment), but please note that a good practice for asset management is to group assets together if their threats/vulnerabilities are similar (e.g., a single asset named "laptop", instead of listing all organization's laptops individually), and only adopting individual assets in case they have specific risks related to them (e.g., development laptops, sales laptop, etc.). This way you will reduce the time and effort for doing the risk assessment.
This article will provide you a further explanation about the inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
Aug 20, 2020