Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

What asset to list when Risks relate to general or high-level assets?

  Quote
Guest
Guest user Created:   Aug 10, 2023 Last commented:   Aug 10, 2023

What asset to list when Risks relate to general or high-level assets?

In the risk register/table, some risks relate to high-level or more general assets that I do not have in my asset register.

For example:

  • User error >> most assets

  • Information interception >> most assets

  • Malicious action by employees >> almost everything

  • Unauthorized access to the information system >> all system and docs

  • Leakage/disclosure of information >> all docs and data

  • Unauthorized change of records >> all systems with records

What should I write as an asset for these risks in the relevant tables (risks, risk treatment etc).

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 10, 2023

Please note that to properly identify the assets you need to talk to personnel from all the processes included in your ISMS scope, because these people will help you identify:

  • the most relevant risks that you should consider, and from that you can identify the assets.
  • the most valuable assets from their point of view, and from that you can identify related risks.

For example, HR personnel might tell you that the most relevant risks are related to payroll software.

Another example: company’s laptops can be considered a valuable asset exposed to the same risks, and in this case, you can consider a single asset (laptop), but in some cases, you may need to have specific assets like financial laptops, development laptops, or sales laptops, because they are exposed to different risks.

The most important point is that you need to talk to the personnel that works with the information you want to protect because they are the ones with the experience to identify the assets you need to consider.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 10, 2023

Aug 10, 2023