Risk Assessment Questions
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. I have one hundred laptops, and thirty servers, do I list them all individually in the Risk Assessment Table?
You do not need to list individual laptops and servers in the Risk Assessment Table.
You can adopt a generic term like “laptop” or “server” if they share similar risks. In case there are laptops with specific risks, you can use specific assets like "laptop", "development laptop ", and "finance laptop ". The same concept applies to servers.
For further information:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
2. The aforementioned devices are in outsourced data centers, but they still must be listed as risks, correct?
The devices only need to be listed as risks in your Risk assessment table if you have control over them (i.e., the outsourced datacenter only provides the physical facilities, and you need to handle the risks related to the devices).
In case they are controlled by the provider, then you should list the outsourced data center as an asset in your Risk Assessment Table (in this case you need to look for risks related to the supplier not protecting the devices).
For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
3. I am assuming that much of the risk will be transferred to the outsourcer?
This decision will depend on which part has control over the assets. For example, if you have control over the servers (e.g., you need to configure them), then it does not make sense to transfer the risks for the outsourcer. In case you only use the services provided by the servers, which are controlled by the outsourcer, then the risks related to them can be transferred to the outsourcer.
This article will provide you a further explanation:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
Comment as guest or Sign in
Sep 13, 2021