Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Risk Assessment Questions

  Quote
Guest
Guest user Created:   Sep 13, 2021 Last commented:   Sep 13, 2021

Risk Assessment Questions

1. I have one hundred laptops, and thirty servers, do I list them all individually in the Risk Assessment Table?

2. The aforementioned devices are in outsourced data centers, but they still must be listed as risks, correct?

3. I am assuming that much of the risk will be transferred to the outsourcer?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 13, 2021

1. I have one hundred laptops, and thirty servers, do I list them all individually in the Risk Assessment Table?

You do not need to list individual laptops and servers in the Risk Assessment Table.

You can adopt a generic term like “laptop” or “server” if they share similar risks. In case there are laptops with specific risks, you can use specific assets like "laptop", "development laptop ", and "finance laptop ". The same concept applies to servers.

For further information:

2. The aforementioned devices are in outsourced data centers, but they still must be listed as risks, correct?

The devices only need to be listed as risks in your Risk assessment table if you have control over them (i.e., the outsourced datacenter only provides the physical facilities, and you need to handle the risks related to the devices).

In case they are controlled by the provider, then you should list the outsourced data center as an asset in your Risk Assessment Table (in this case you need to look for risks related to the supplier not protecting the devices).

For further information, see:

3. I am assuming that much of the risk will be transferred to the outsourcer?

This decision will depend on which part has control over the assets. For example, if you have control over the servers (e.g., you need to configure them), then it does not make sense to transfer the risks for the outsourcer. In case you only use the services provided by the servers, which are controlled by the outsourcer, then the risks related to them can be transferred to the outsourcer.

This article will provide you a further explanation:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 13, 2021

Sep 13, 2021

Suggested Topics