ISO 27001 Risk Owner vs Asset Owner: What’s the Difference?

Anyone familiar with ISO 27001 should know about asset owners. They are a long-established part of the Standard, ensuring that organisations know who is responsible for managing information security weaknesses.

In the latest version of ISO 27001, the requirements added the concept of risk owners. This strengthened the Standard’s stance on organisational accountability for specific aspects of information security.

But what exactly are risk and asset owners? How are they different, and does your organisation need to appoint both? We answer those questions and more in this blog, showing you how risk owners and asset owners fit within your broader compliance practices.

ISO 27001 risk owner definition

A risk owner is a person or entity responsible for managing threats and vulnerabilities that they might exploit.

Each risk owner should be someone for whom the risk is relevant to their job and who has the authority to do something about it.

For example, the owner of risks associated with IT infrastructure (such as malware) should be the head of the IT department. This is because they have the best understanding of how to tackle the threat and the power to implement the necessary measures.

ISO 27001 asset owner definition

An asset owner is a person responsible for the day-to-day management of assets. This includes electronic and hard-copy information and hardware, software, services, people and facilities.

An asset owner is generally lower in the organisational hierarchy than the risk owner because any issues they discover should be directed upwards and addressed by a more senior person.

Selecting risk and asset owners

Organisations must determine separate risk owners and asset owners when implementing ISO 27001. That’s because – although they are similar – their responsibilities are distinct and extensive enough to warrant splitting the tasks between two people.

Annex 8.2 of ISO 27001, Asset Management, contains a sub-clause dedicated to asset ownership. It states that asset owners can be different to legal owners and individuals or whole departments.

However, we recommend selecting a specific person. Otherwise, the responsibility could fall between various people, with tasks left incomplete.

Meanwhile, risk ownership should be selected when you create your risk treatment plan. This process determines your overall strategy for tackling risks, and it’s simply a case of assigning someone to make sure they are carried out correctly.

Simplify your risk assessment process

Looking for more guidance on your ISO 27001 risk assessment process? Our vsRisk software package provides a fast and straightforward way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.

Its asset library assigns organisational roles to each asset group, applying relevant threats and risks by default.

Meanwhile, its integrated risk, vulnerability, and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.

A version of this blog was originally published on 10 June 2020.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.