This is a question which comes up time and time again. Typically, this question is twofold; which assets to include and the depth or granularity. In this blog, we will look at granularity.
In short, stay high-level where possible. Your goal, through the risk assessment, is to identify and then manage your risks in terms of confidentially, integrity and availability (CIA). If you start with an asset list pages long, perhaps by taking an extract from IT’s configuration management database (CMDB), your results are going to be pages long. With this level of detail, you will find yourself spending a significant amount of time trying to consolidate risks into a manageable number. You can always go down into additional detail where an asset has a different CIA value. For example, if you have laptops which store, process or transmit information, then you need to include these in your assessment. However, you do not need to include every make and model in your assessment or even group laptops by every department. We should group these by the levels of information they have access to. So ‘Laptops’ could be used to cover most staff members’ laptops, as they all have access to the same level of information. You can then use ‘Sensitive Laptops’ for laptops that are used by your senior management team or HR, as these laptops will typically have a higher level of access to information.
By grouping these assets, you reduce the number of duplicated results in your risk assessment and get a more detailed and manageable representation of risk. Also, if the controls are likely to be deployed consistently across all assets, then there may be no benefit to splitting assets into subcategories. For example, if all laptops will be encrypted and have similar endpoint controls (e.g., antivirus, firewalling), then rating the asset as a worst case will be appropriate.
So, think about what that asset ultimately holds or has access to and approach your asset with that in mind!
Unsure whether your ICT risk framework meets DORA standards? Our experts will carry out a detailed gap analysis and provide clear, prioritised steps to help you achieve full compliance.
Our consultants will evaluate your organisation against DORA’s core requirements. Gain practical insights to strengthen your digital resilience and meet regulatory expectations.
Close your compliance gaps with expert support. We’ll deliver tailored, actionable recommendations to ensure you meet DORA requirements and protect your operations.

Annex A of ISO 27001 comprises 114 controls which are grouped into the following 14 control categories.

As with all ISO standards, it has been developed by a panel of experts and provides a specification for the development of a ‘best practice" ISMS

URM’s blog explains what ISO 27002 is, how it can benefit your organisation, & how you can use it to support your implementation of an ISO 27001-conformant ISMS