Who should be the asset owner
We have purchased your ISO27001. We are at the point of creating Risk Assessment Table. We have also watched the video of this area. The 2 questions we are divided on is:
1 . A user of a laptop or computer - does the assets need to be listed separately with the individual user?
2. If yes then every user would need to be presented as a group or individually to offer feedback of risks that they feel in individual to them for that asset? Correct? Would be interested in any feedback. Thanks
Assign topic to the user
1 . A user of a laptop or computer - does the assets need to be listed separately with the individual user?
ISO 27001 does no prescribe who to define asset ownership, so organizations can define it as best suits them.
In a general way, you do not need to list laptops and computers separately with individual users, because in most cases they all share the same risk. It is sufficient to list a single asset (e.g., laptop or computer), and for this asset designate a generic owner (e.g., user). Only in cases you have a specific risk you should include specific assets and owners (e.g., "finance laptop" for the asset, and "CFO" for user).
2. If yes then every user would need to be presented as a group or individually to offer feedback of risks that they feel in individual to them for that asset? Correct? Would be interested in any feedback. Thanks
For generic assets as a "laptop", you should list at least the most seasoned personnel in the organization and the key users (there is no need to list all people that have a laptop), so you can gather good feedback without much effort. For individual assets as "finance laptop," you should list the person responsible for it
This article will provide you a further explanation about asset register and risk assessment:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Jul 01, 2020