So I need to compile a list of ALL assets, information or otherwise,
That leads to tables and chairs and powerbars.
OK so you can’t work without those, but that’s not what I meant.
Physical assets are only relevant in so far as they part of information processing. You should not start from those, you should start from the information and look at how the business processes make use of it. Don’t confuse you DR/BC plan with your core ISMS statements. ISO Standard 22301 addresses that.
This is, ultimately, about the business processes.
In our first iteration/approximation, you should not focus on hardware at all, except for conditions like ‘portable media’ – laptops, USB sticks, smartphones. The risk assessment process is directed at the information assets only.And having the physical in there will just complicate your job and confuse your focus.
Laptops and the other portable media I mention are special cases. You can’t apply that kind of focus to everything. The data centre, for example, you’re going to have to look at the physical though the eyes of DR/BCP type risk analysis, if at all.
This is where ‘scoping‘ comes in.
If you make your scope too wide, too inclusive, then you’ll never get it done. Maybe, just maybe, in a few years time, when you have a grip on the basics, you can slowly expand your scope.
But right now I think you can safely say that the risks that the DR/BCP is there to address are not in scope.
In my DatabaseOfDotSigQuotes there is this:
You should not ask yourself what policies to write but what
you need to control. If you begin with a list of policies,
you need to adapt the reality to the list. The risk is that
you create a false sense of control of security.
— Jakob Fredriksson
Not quite the wording that applies here, but the right sentiment
You need to have controls that pertain to the information and the business processes that use it. That’s all that *HAS* to be in scope.
- Manage identity and access to improve business processes (computerweekly.com)
- Enterprise Asset Management (adamwilsonuk.wordpress.com)
- Information Security Risk Management and ISO 27001 – An interview with Information Security Professional Tony Drewitt (vigilantsoftware.co.uk)
- A Guide to Data Security and ISO27001/ISO27002 (deurainfosec.com)
- Information security risk management and ISO 27001 – an interview with James Ellis of Secure and Confidential Documents Ltd (vigilantsoftware.co.uk)