As part of compliance with the NIS Regulations we are identifying assets, grouping them and them Risk Assessing them as a group.
Our aspiration is to implement ISO27001 in the future so I am thinking this is an opportunity to get our Risk Assessments aligned to the standard. I am guessing for ISO27001 we would have to risk assess the invididual assets rather than as groups?
So, rather than risk assess
Would we need to risk assess as follows?
Business System 1
Business System 2
Business System 3
Business System 4
Business System 5
Desktop Application 1
Desktop Application 2
Desktop Application 3
Desktop Application 4
Desktop Application 5
ISO 27001 does not specify a method to perform risk assessment, so you can adopt the method that best fulfills your needs.
When using a methodology that uses assets, threats, and vulnerabilities, you can assess assets as a group if they share common threats and vulnerabilities, assessing individual assets only if they have specific threats and vulnerabilities.
For example, if desktop applications 1 to 4 are used by the HR team and share similar threats and vulnerabilities, they can be assessed as a single asset, let’s say, called HR desktop applications.
These articles will provide you a further explanation about risk assessment: