Tips on asset risk management through ISO 27001

ISO 27001 is a standard that deals with information security. The premise of this standard is that an organization must establish an information security management system (ISMS). That management system must ensure that information security is adequate and continuously improving. The standard therefore consists of a set of requirements that the management system must meet.In addition to those management system requirements, there is also an appendix that identifies a set of control measures. Those control measures are actually topics, such as "cryptography. It doesn't say exactly what you have to do with cryptography. Just that you have to think about and describe what you do with cryptography.One of the requirements is that the organization use the control measures from that appendix to check that they haven't forgotten any topics when coming up with their own measures to control risk.Also read: When do you need ISO 27001 certification?

Two perspectives on business assets

If information security is needed, the question of where that information is located soon follows. And therefore how, as an organization, you deal with the systems that hold that information. Both the information and the systems could be called business assets.The ISO 27001 standard has two perspectives when it comes to naming assets.

1. The first is in risk assessment (standard requirement 6.1.2). It says there that it should focus on identifying risks related to information. So it makes sense, for each risk you identify, to also name what information the risk relates to.
2. The second perspective comes from a management measure, number 5.9. This concerns the inventory of information and other related assets.

This states that an organization must have an inventory of assets and maintain them. Where each asset has an owner. The idea behind this is that if you don't know what assets (including information) you have, you can't protect them.

Overview of business assets linked to risks

When it comes to the question of how to record information and other assets, it is best to consider the two aspects mentioned above separately. It's fine to name the information to which each risk relates. And somewhere else keep one or more lists of assets.In other words, the information named under risks need not be linked to the total overview of assets in which the owners are also named.But of course this can be done. If you create an overview of information and other assets to which risks can be linked, this will provide additional structure and overview. You can then see even better which risks are linked to a certain asset.It is even better if you can also indicate the relationship between assets. For example: customer data is in a CRM system running on a certain server. Combined with the classification of information, you can deduce how information assets should be protected.ISOPlanner contains everything you need to properly record company assets.