Risk Assessment Question

1 - Following the steps, we first identified the assets and asset owners.

It was quite difficult given the fact that for the same asset, we may have different asset owners.

Should we keep them in separate lines? It's highly possible that there will be a different Risk Owner.

To keep your asset as simple as possible, and in the interest of saving time, you should group the assets whenever possible (as for the asset owner you should consider the role with the highest hierarchical position between the roles you identified) and keep different lines only when extremely necessary.

2 - Our company develops software and has many different applications. Therefore, the Category of Applications & Databases is quite long (42 lines!). We are trying to merge them as much as possible but struggle because we don't know if and how risky it will be to group them (since there are different asset owners).

For a company of 50 people, we have gone too deep and need to get out before we proceed.

Should we merge per name of asset?

It is better to merge assets by considering the risks related to them. For example, if assets like Microsoft applications and Linux applications have similar risks, then it is better to adopt an asset called “applications” merging all risks.

3 - Should we take into consideration the asset owner?

You should consider the asset owner only as a secondary criterion because the primary reason for merging assets is that they share similar risks.

4 - Can we have more than once the same 'name of asset'?

You should avoid having two or more assets with the same name, to prevent mistakes in defining responsibilities for the assets. You should provide some additional information in the name of the asset to differentiate them (such as “laptop” and “sales laptop”).

5 - Given that the company is relatively small, our CEO can also be an asset owner besides the risk owner. As 'asset owners' we recognised all those who have access to a document, application, infrastructure, is that correct?

Please note that the “asset owner” is the person responsible for ensuring the asset is properly protected (e.g., by defining proper controls to be implemented). Considering that, not all people that have access to an asset are their owners (they need to follow security controls applied to the asset, but do not define such controls).

6 - In addition, our company is located in 2 different countries with only one of them being in the scope for certification. The other (recognised as a subsidy) will fully adopt the policies and actions of the mother company. That's why we implement the Risk Assessment and in general the ISO implementation simultaneously. All decisions derive from the mother company and the subsidy has an Office Manager who will probably be the Risk Owner for most of the assets in his country-responsibility.

Some of our assets are doubled for this reason, for example: Office rooms in country A (one asset) & Office rooms in country B (second asset).

Would you consider it 'too much'?

Please note that you do not need to include in the site to be certified assets from the site that will not be certified. This will only add unnecessary complexity to your implementation. It would be better to develop a separate risk assessment considering only assets that are exclusive of the noncertifiable site.  

7 - Would you do a screening of our risk assessment table once it's done (Assets, Threats, Vulnerabilities, Risk Owners, Risk Identification)?

As part of your toolkit is included a review of a determined quantity of documents, so you can send your risk assessment and we will provide recommendations for implementation if needed.