Info Sec Explained
How do I Approach Asset Identification Within My Information Security Risk Assessment?

How do I Approach Asset Identification Within My Information Security Risk Assessment?

Wayne McCaw's photo
Wayne McCaw
·

2 min read

The question regarding asset inclusion and granularity often arises repeatedly, particularly when considering the requirements of ISO 27001. Specifically, this question involves two aspects: determining which assets to include and deciding on the depth or level of detail. In this blog, we will concentrate on the aspect of granularity as it pertains to meeting ISO 27001 requirements.

In summary, it is advisable to maintain a high-level perspective whenever possible. During the risk assessment process, the goal is to identify and manage risks related to confidentiality, integrity, and availability (CIA). If you begin with an extensive list of assets, such as extracting information from the IT configuration management database (CMDB), the resulting assessment will be lengthy. Dealing with such a detailed assessment would require significant effort to consolidate risks into a manageable number. However, additional granularity can be applied when assets have distinct CIA values. For instance, laptops used for storing, processing, or transmitting information should be included in the assessment. Yet, it is unnecessary to individually assess every make and model or group laptops by each department. Instead, grouping them based on the levels of information access they possess is more practical. For example, using the category "Laptops" to cover most staff members' laptops, as they have access to the same level of information. On the other hand, "Sensitive Laptops" can be designated for laptops used by senior management or HR, as these laptops typically have higher levels of information access.

By employing asset grouping, as required for ISO 27001 certification, the risk assessment results become more detailed and manageable, reducing duplicated findings. Additionally, if controls are consistently implemented across all assets in accordance with ISO 27001 requirements, there may be no need to further divide assets into subcategories. For example, if all laptops are encrypted and equipped with similar endpoint controls such as antivirus and firewalling, assigning the worst-case rating to the asset would be appropriate. Therefore, it is essential to consider the ultimate content or level of access associated with each asset and approach the asset assessment with ISO 27001 certification requirements in mind.