Asset identification within RA

|
|
PUBLISHED on
25 May
2022

Table of Contents

A question which comes up time and time again is ‘How do I approach asset identification within my information security risk assessment’.  Typically, this question is twofold; which assets to include and the depth or granularity.  This week’s top tip will look at granularity.

In short, stay high level where possible.  Your goal, through the risk assessment, is to identify and then manage your risks in terms of confidentially, integrity and availability (CIA).  If you start with an asset list pages long, perhaps by taking an extract from IT’s Configuration Management Database (CMDB), your results are going to be pages long.  With this level of detail, you will find yourself spending a significant amount of time trying to consolidate risks into a manageable number.  You can always go down into additional detail where an asset has a different CIA value.  For example, if you have laptops which store, process or transmit information you need to include these in your assessment.  However, you do not need to include every make and model in your assessment or even group laptops by every department.  We should group these by the levels of information they have access to.  So ‘Laptops’ could be used to cover most staff members laptops as they all have access to the same level of information.  You can then use ‘Sensitive Laptops’ for laptops that are used by your senior management team or HR as these laptops will typically have a higher level of access to information.

By grouping these assets, you reduce the amount of duplicated results in your risk assessment and get a more detailed and manageable representation of risk.  Also, if the controls are likely to be deployed consistently across all assets then there may be no benefit to splitting assets into subcategories.  For example, if all laptops will be encrypted and have similar endpoint controls (e.g. antivirus, firewalling) then rating the asset as a worst case will be appropriate.

So, think about what that asset ultimately holds or has access to and approach your asset granularity with that in mind!

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Thumbnail of the Blog Illustration
Information Security
Published on
20/7/2022
Information Security Management Systems, ISO 27001 and the Benefits of Implementation

In this blog, we’re going back to basics and looking at some of the fundamentals of information security and ISO 27001.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
What is the Difference Between IT and Information Governance?

In this blog, we are going to look at governance. We are regularly asked, ‘is information governance the same as IT governance?’

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/5/2022
What is ISO 27001?

ISO 27001 is the International Standard for Information Security Management. It provides organisation with a framework and an approach to protecting assets

Read more
This was a good webinar, thank you. Having it as a webinar rather than face to face worked really well and much more convenient with the new standards for travel and cost being put in place etc. The information was useful and well paced. Would be great to get a copy of the slide deck sent out as well. I missed the first minute or so but it would of been good to see an image of who was presenting as well. And you answered my question as well. Thanks
Webinar 'How to Achieve ISO 27001 Certification'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.