What asset to list when Risks relate to general or high-level assets?
In the risk register/table, some risks relate to high-level or more general assets that I do not have in my asset register.
For example:
-
User error >> most assets
-
Information interception >> most assets
-
Malicious action by employees >> almost everything
-
Unauthorized access to the information system >> all system and docs
-
Leakage/disclosure of information >> all docs and data
-
Unauthorized change of records >> all systems with records
What should I write as an asset for these risks in the relevant tables (risks, risk treatment etc).
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that to properly identify the assets you need to talk to personnel from all the processes included in your ISMS scope, because these people will help you identify:
- the most relevant risks that you should consider, and from that you can identify the assets.
- the most valuable assets from their point of view, and from that you can identify related risks.
For example, HR personnel might tell you that the most relevant risks are related to payroll software.
Another example: company’s laptops can be considered a valuable asset exposed to the same risks, and in this case, you can consider a single asset (laptop), but in some cases, you may need to have specific assets like financial laptops, development laptops, or sales laptops, because they are exposed to different risks.
The most important point is that you need to talk to the personnel that works with the information you want to protect because they are the ones with the experience to identify the assets you need to consider.
For further information, see:
Comment as guest or Sign in
Aug 10, 2023