ISO 27001: What’s the difference between a risk owner and an asset owner?

The latest iteration of ISO 27001 introduced the concept of risk owners in addition to asset owners. This strengthened the Standard’s stance that organisations must appoint people to take accountability for specific aspects of information security.

But what exactly are risk and asset owners? We explain both terms in this blog and show you how they fit in within your wider compliance practices.

What is a risk owner?

A risk owner is a person or entity responsible for managing threats and vulnerabilities that they might exploit.

The owner of each risk should be someone for whom the risk is relevant to their job and who has the authority to do something about it.

For example, the owner of risks associated with IT infrastructure – such as malware – should be the head of the IT department, because they have the best understanding of how to tackle the threat and the power to implement the necessary measures.

What is an asset owner?

An asset owner is the person responsible for the day-to-day management of assets. This includes not only electronic and hard-copy information but also hardware, software, services, people and facilities.

An asset owner is generally lower in the organisational hierarchy than the risk owner because any issues they discover should be directed upwards and addressed by a more senior person.

To continue our earlier example, if the owner for risks associated with IT infrastructure is the head of the IT department, then the asset owner for the servers on which the at-risk information is held would be an IT administrator.

Selecting risk and asset owners

Organisations must determine separate risk owners and asset owners when implementing ISO 27001. That’s because – although they are similar – their responsibilities are distinct and extensive enough to warrant splitting the tasks between two people.

Annex 8.2 of ISO 27001, Asset Management, contains a sub-clause dedicated to asset ownership. It states that asset owners can be different to legal owners and individuals or whole departments.

However, we recommend selecting a specific person, otherwise the responsibility could fall between various people, with tasks left incomplete.

Meanwhile, risk ownership should be selected when you create your risk treatment plan. This process determines your overall strategy for tackling risks, and it’s simply a case of assigning someone to make sure they are carried out correctly.

Simplify your risk assessment process

Looking for more guidance on your ISO 27001 risk assessment process? Our vsRisk software package provides a simple and fast way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.

Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.

Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.