Statement of applicability A.9.1.2 (Access to networks and network services)
Assign topic to the user
When a risk is similar to several assets, you can create a single asset to represent them all and associate the risk to it, as you suggested.
For example, you do not need to record an organization's notebooks as individual assets (you can add an asset called "notebook"), but if they have specific purposes with different risk levels you can use specific assets like "notebook", "development notebook", and "finance notebook". The same concept applies to IT assets.
For further information, see:
- Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
Apr 27, 2022