Conducting an asset-based risk assessment requires the identification of information assets as a first step. If you are certifying to ISO 27001:2013 and have chosen to follow an asset-based risk assessment methodology, you will logically need to compile a list of all of the assets within the scope of your ISMS.
Building an asset register helps clarify what is valuable in your company and who is responsible for it.
Bear in mind that ISO 27001:2013 no longer mandates an asset-based methodology – the new Standard provides more flexibility in the type of method you apply. ISO 27001 experts concur that an asset-based approach is a robust and practical assessment methodology.
Note, too, that the scope of the ISMS must have been defined before you embark on your risk assessment.
vsRisk comes with an optional, pre-populated asset library. Organisational roles are pre-assigned to each asset group, and the corresponding potential threats / risks are pre-applied to each asset. vsRisk also pre-assigns the relevant controls from Annex A to each threat. See sample below. View options to purchase vsRisk now.
The following asset classes provide a breakdown of the assets you will need to identify:
- Information assets: This refers to information stored on paper (e.g. contracts, correspondence, user manuals, training manuals) or electronically (e.g. information on hard drives, USB sticks, video, mobile phones, databases), or any other information – even conversations are information assets.
- Software: This includes operating systems, applications, development tools, etc.
- Physical assets and hardware: These refer to any asset that can manipulate information, such as computers, mobile devices, server rooms, copper cables and fibre circuits.
- Services: This refers to the services that the computer systems depend upon, such as heating, cooling, power, lighting, etc.
- People: People are the employees, owners and managers who carry with them all the skills and information regarding how the company operates.
- Intangibles: The intellectual property of the organisation, reputation, brand, etc.
Some additional guidance on identifying assets
ISO 27001 experts at IT Governance advise creating a link between the asset inventory and the organisation’s fixed asset ledger, and/or its configuration management database (CMDB). Furthermore, although ISO 27001:2013 does not mandate the role of asset owners in the risk assessment (due to the asset-based approach no longer being prescribed), it would be wise to allocate asset owners to each of the assets for quick reference. The new version of ISO 27001 requires that risk owners, rather than asset owners, be appointed during the risk assessment for all identified risks.
In most circumstances, it is advisable to cluster individual assets into a group of assets, to reduce the effort involved in the risk assessment process. An example of this would be ‘management laptops’. Naturally, if the vulnerabilities and threats to these grouped assets are different, they should be dealt with individually.
Compiling a list of information assets can be quite a time-consuming task, and many who embark on this process for the first time find it quite daunting. How do you ensure that your asset list is comprehensive? The best way to build an asset inventory is to interview the head of each department to develop a list of all of the assets a department uses.
There are many lists of assets available for free on the Internet, which can offer a starting point. It will also help if you use your current asset register as a reference point and expand on this using the six asset categories above to ensure that you don’t miss anything.
Test-drive vsRisk with a personal, one-to-one demo now.
Source: Information Security Risk Management for ISO27001/27002 by Alan Calder and Steve Watkins