At *** we are currently working on our first Risk Assessment and as it's a complicated process, we do have some questions.
1 - Following the steps, we first identified the assets and asset owners.
It was quite difficult given the fact that for the same asset, we may have different asset owners.
Should we keep them in separate lines? It's highly possible that there will be a different Risk Owner.
2 - Our company develops software and has many different applications. Therefore, the Category of Applications & Databases is quite long (42 lines!). We are trying to merge them as much as possible but struggle because we don't know if and how risky it will be to group them (since there are different asset owners).
For a company of 50 people, we have gone too deep and need to get out before we proceed.
Should we merge per name of asset?
3 - Should we take into consideration the asset owner?
4 - Can we have more than once the same 'name of asset'?
5 - Given that the company is relatively small, our CEO can also be an asset owner besides the risk owner. As 'asset owners' we recognised all those who have access to a document, application, infrastructure, is that correct?
6 - In addition, our company is located in 2 different countries with only one of them being in the scope for certification. The other (recognised as a subsidy) will fully adopt the policies and actions of the mother company. That's why we implement the Risk Assessment and in general the ISO implementation simultaneously. All decisions derive from the mother company and the subsidy has an Office Manager who will probably be the Risk Owner for most of the assets in his country-responsibility.
Some of our assets are doubled for this reason, for example: Office rooms in country A (one asset) & Office rooms in country B (second asset).
Would you consider it 'too much'?
7 - Would you do a screening of our risk assessment table once it's done (Assets, Threats, Vulnerabilities, Risk Owners, Risk Identification)?