Roles and ResponsibilitiesAssets and risk assessment
Assign topic to the user
I think your risk assessment will have more depth if you separate physical server as an asset from software and databases that run on it - you will be able to focus better on key issues; however, this is not something that is required by ISO 27001 - if you don't want to go too much into detail you can consider a server as one asset that consists both of hardware and software/data.
The dilemma whether to separate production and development servers depends on how different they are - if there are significantly different threats and vulnerabilities for these two servers, it would be better to assess them separately; if they are quite similar you can save time and assess them as a single item.
thank you Iits very clear, is the computer room considered as asset or control?
Comment as guest or Sign in
Jan 12, 2016