How do I Approach Asset Identification Within My Information Security Risk Assessment?

|
|
|
PUBLISHED on
20
July
2022
SUMMARY

This is a question which comes up time and time again.  Typically, this question is twofold; which assets to include and the depth or granularity.  In this blog, we will look at granularity.

In short, stay high-level where possible.  Your goal, through the risk assessment, is to identify and then manage your risks in terms of confidentially, integrity and availability (CIA).  If you start with an asset list pages long, perhaps by taking an extract from IT’s configuration management database (CMDB), your results are going to be pages long.  With this level of detail, you will find yourself spending a significant amount of time trying to consolidate risks into a manageable number.  You can always go down into additional detail where an asset has a different CIA value.  For example, if you have laptops which store, process or transmit information, then you need to include these in your assessment.  However, you do not need to include every make and model in your assessment or even group laptops by every department.  We should group these by the levels of information they have access to.  So ‘Laptops’ could be used to cover most staff members’ laptops, as they all have access to the same level of information.  You can then use ‘Sensitive Laptops’ for laptops that are used by your senior management team or HR, as these laptops will typically have a higher level of access to information.

By grouping these assets, you reduce the number of duplicated results in your risk assessment and get a more detailed and manageable representation of risk.  Also, if the controls are likely to be deployed consistently across all assets, then there may be no benefit to splitting assets into subcategories. For example, if all laptops will be encrypted and have similar endpoint controls (e.g., antivirus, firewalling), then rating the asset as a worst case will be appropriate.

So, think about what that asset ultimately holds or has access to and approach your asset with that in mind!

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Thumbnail of the Blog Illustration
Information Security
Published on
9/2/2024
The New Threat Intelligence Requirements in ISO 27001:2022

URM’s blog discusses the changes to the requirements around threat intelligence in ISO 27001:2022 and what certified organisations will need to do differently.

Read more
Thumbnail of the Blog Illustration
Other Standards
Published on
1/3/2024
ISO and IAF add Climate Change Considerations to 31 Management Systems Standards

On 22 February 2024 ISO and IAF released a joint statement relating to an amendment to a total of 31 existing Annex SL management system standards.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
16/5/2025
ISO 27001:2022 - A.5 Organisational Controls (Information Security Management)

URM explains the 8 information security management controls included within the ‘Organisational controls’ theme and how to prepare for an audit of each control

Read more
The feedback on URM’s report was that it was the best document the developer had ever received due to it being so concise and clear. He has saved it on his desktop and suggested that the business should use a similar template for internal docs. This great feedback reflects not only on the URM penetration tester who conducted the test, but also on the senior members of URM’s Cyber Team for all the work they have put in to producing such a brilliant reporting template.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.