Streamlining Asset Identification For Effective Risk Management

|
|
|
PUBLISHED on
25
May
2022
SUMMARY

A question that comes up time and time again is ‘How do you approach asset identification within my information security risk assessment’.  Typically, this question is twofold; which assets to include and the depth or granularity.  This week’s top tip will look at granularity.

In short, stay high level where possible.  Your goal, through the risk assessment, is to identify and then manage your risks in terms of confidentially, integrity and availability (CIA).  If you start with an asset list pages long, perhaps by taking an extract from your IT department’s configuration management database (CMDB), your results are going to be pages long.  With this level of detail, you will find yourself spending a significant amount of time trying to consolidate risks into a manageable number.  You can always go into additional detail where an asset has a different CIA value.  For example, if you have laptops which store, process or transmit information, you need to include these in your assessment.  However, you do not need to include every make and model in your assessment or even group laptops by every department; they should instead be grouped by the levels of information they have access to.  So ‘Laptops’ could be used to cover most staff members’ laptops, as they all have access to the same level of information.  You can then create a separate group for ‘Sensitive Laptops’, i.e., laptops that are used by your senior management team or HR, as these laptops will typically have a higher level of access to information.

By grouping these assets, you reduce the number of duplicated results in your risk assessment and get a more detailed and manageable representation of risk.  Also, if the controls are likely to be deployed consistently across all assets, then there may be no benefit to splitting assets into subcategories.  For example, if all laptops are encrypted and have similar endpoint controls (e.g. antivirus, firewalling), then grouping the assets in one will be appropriate.

So, consider what that asset ultimately holds or has access to, and approach your asset granularity with that in mind!

How URM Can Help

With over 2 decades of experience supporting hundreds of organisations’ information security risk management programmes, URM is the ideal partner to help you create and implement an effective and practical information security risk management approach.  With our proven information security risk management software, Abriska 27001, we can support the entire risk assessment process, identifying not only the threats to your information assets, but also the likelihood and impact of them occurring.  We can also assist with risk treatment and help you prioritise risk treatment activities to maximise your time, effort and budget.

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Thumbnail of the Blog Illustration
Information Security
Published on
18/7/2025
ISO 27001:2022 - A.5 Organisational Controls (Business Continuity)

URM’s blog explores the ISO 27001 business continuity controls, why they matter, & how they can be effectively implemented to ensure conformance to the Standard

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
8/3/2024
Lessons Learnt from Early ISO 27001:2022 Transitions

URM’s blog, produced in collaboration with BSI, discusses common mistakes we have seen in early ISO 27001:2022 transitions, and how to avoid them.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
21/7/2022
ISO 27002:2022 Update

The purpose of ISO 27002 is to provide organisations with guidance on selecting, implementing and managing information security controls.

Read more
I wanted to say thank you to our consultant for all the feedback/information he’s helped with over the years he’s been coming. It’s only been a couple of days a year but it’s been really helpful in understanding the sort of mentality and process we should be working to, I’ve really benefited from the level of thoroughness and care to detail he’s demonstrated
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.