A recurring query that frequently arises is, "How should I approach asset identification within my information security risk assessment and ISO 27001 certification?" Typically, this query encompasses two aspects: deciding which assets to encompass and determining the level of detail, known as granularity. In this week's top tip, we'll delve into granularity.
In essence, aim to maintain a higher-level perspective whenever feasible. Your overarching objective during the risk assessment is to pinpoint and subsequently manage risks in terms of confidentiality, integrity, and availability (CIA). If you begin with an extensive asset list, perhaps derived from the IT's Configuration Management Database (CMDB), your outcomes are likely to be similarly extensive. Managing risks at this intricate level may demand a considerable amount of time as you work to streamline these risks into a more manageable quantity. It's worth noting that you can always delve into greater detail when an asset exhibits varying CIA characteristics. For example, if you possess laptops that either store, process, or transmit information, it's imperative to include them in your assessment. Nevertheless, it's unnecessary to enumerate every make and model in your assessment or categorize laptops by each department. A more effective approach involves grouping them according to the levels of information they access. For instance, you can designate 'Laptops' to encompass laptops used by most staff members since they typically share access to the same level of information. In contrast, 'Sensitive Laptops' can be used for laptops utilized by your senior management team or HR, as these laptops often possess a higher level of access to information.
By adopting this asset grouping strategy, you can minimize the redundancy in your risk assessment and obtain a more comprehensive yet manageable representation of the associated risks, which can be beneficial for the ISO 27001 audit. Furthermore, if you anticipate that the controls will be consistently applied across all assets, there may be no discernible benefit in subdividing assets into subcategories. For instance, if all laptops are set to be encrypted and feature similar endpoint controls (e.g., antivirus and firewall settings), assessing the asset with a worst-case scenario approach is usually appropriate.
Always consider the ultimate content or access of each asset and approach asset granularity with this consideration in mind!