Assets are usually used to perform the risk assessment although not mandatory by ISO 27001:2013
How will i take risk assessment ? I mean based on what . Can I do implement ISo27001 with out asset management and risk assessment ?
Answer:
The recommendable is to have a risk management based on assets, although you are right, it is not mandatory. Another approach is to base your risk management in process, but generally it is for big companies. So, you can implement ISO 27001 without a risk management based on assets, although it is not recommendable (most of methodologies are based on assets). Anyway, the asset management is an important issue in ISO 27001, and you can do it independently of the risk management. Furthermore it is mandatory to have a document for the inventory of assets.
You can see here the list of mandatory documents List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
And this article can be also interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
Jan 13, 2016