Some wondering on the use of the risk management registry

1 - In the asset list, we found "remote employee" and in the vulnerabilities, we found "working off-premises" and we want to make sure of the correct understanding and the difference of the 2 concepts
currently we understand :
- "remote employees" as employees usually working not in the head quarter but in a different site owned by the organization (let say an affiliate elsewhere in Europe) using the organization infrastructure (PC, Tools, network, security...)
- "working off-premises" as an employee working on a site that does not belong to the organization (let say working at home or on a customer site) but using the organization infrastructure, at least partially (let say the organization's PC but the home or customer's network access)
is that correct?

Answer: As "remote employees" you should understand employees working in environments other than their regular workplaces in the organization (it is not a question if he usually works in the headquarters or not, but on where he usually works). In your example for “remote employees”, if the employee’s regular working place is the subsidiary location, he would be only a regular employee. He would be a “remote employee” when working in the headquarters.

As for "working off-premises" you should understand working in any environment other than those controlled by the organization (e.g., working from home, from a customer site, etc.). For example, in case you have an employee who usually works in the headquarters but for a period is working in an affiliate location, this employee would be a “remote employee” but wouldn’t be “working off-premises”.

2 - We also found that sometime vulnerabilities, threats evaluation and treatment are exactly the same for several asset (ex "rules for working off-premises not clearly define" will have the same threats, evaluation and treatment for all kind of employee (Top management, middle management, specific expert, remote or other). How to manage this the best way to avoid costly redundancies

Answer: In cases like this one, you need to group assets according to the most comprehensive set of rules, so you have fewer assets to manage.

For example, instead of creating a repetitive set of rules for each employee type, you can define a single profile for all employees, or you can define a “basic” profile for all employees, and create an “advanced” profile that will include only specific groups of employees (e.g., top management, developers, financial team, etc.).

This article will provide you a further explanation about managing assets:

- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/