If you’re certifying to ISO 27001, one of the first things you need to do identify your information assets. After all, it’s only once you know what you’re dealing with that you determine the threats associated with them.
Information assets can refer to physical and digital files, including intellectual property, CDs and storage devices, laptops and hard drives.
How you approach that is entirely up to you, but an asset-based approach is widely regarded as best practice, because it presents a thorough and comprehensive framework.
At the core of an asset-based risk assessment is the asset register – i.e. a document that specifies every place where you keep sensitive information.
The best way to complete this is by interviewing asset owners. The ‘asset owner’ is the individual or entity responsible for controlling the production, development, maintenance, use and security of an information asset.
They will know how information flows through their department, and simply asking them to produce this information will be quicker and less invasive than getting your implementation or compliance team to scour the entire organisation.
Once you’ve completed the asset register, you can begin to identify and analyse the risks associated with them. This information is the ‘meat’ of your risk assessment, but it’s not possible without first identifying your assets.
What should you do next?
Our whitepaper 5 critical steps to successful ISO 27001 risk assessments contains an in-depth explanation of everything you need to complete the risk assessment process.
By reading this free guide, you’ll learn:
- How to determine the optimum risk scale so you can determine the impact & likelihood of risks;
- How to systematically go about identifying, evaluating and analysing risks without losing your mind;
- The baseline security criteria you must establish for a successful ISO 27001 implementation
A version of this blog was originally published on the 16 June 2016.