Confusion over Physical Assets, Information Assets – Part Two

So I need to compile a list of ALL assets, information or otherwise,

NO!
That leads to tables and chairs and powerbars.

OK so you can’t work without those, but that’s not what I meant.

InfoAssetsPhysical assets are only relevant in so far as they part of information processing. You should not start from those, you should start from the information and look at how the business processes make use of it.  Don’t confuse you DR/BC plan with your core ISMS statements.  ISO Standard 22301 addresses that.

This is, ultimately, about the business processes. Continue reading Confusion over Physical Assets, Information Assets – Part Two

Confusion over Physical Assets, Information Assets in ISO-27000

I often explain that Information Security focuses on Information Assets.

Some day, on the corporate balance sheet, there will be an entry
which reads, “Information”; for in most cases the information is
more valuable  than the hardware which processes it.
   — Adm. Grace Murray Hopper, USN Ret.

Some people see this as a binary absolute – they think that there’s no need to asses the risks to the physical assets or that somehow this is automatically considered when assessing the risk to information.

The thing is there are differing types of information and differing types of containers for them. Continue reading Confusion over Physical Assets, Information Assets in ISO-27000

About ISO 27001 Risk Statement and Controls

On the ISO27000 Forum list, someone asked:

I’m looking for Risk statement for each ISO 27k control; meaning
“what is the risk of not implementing a control”.

That’s a very ingenious way of looking at it!

One way of formulating the risk statement is from the control
objective mentioned in the standard.
Is there any other way out ?

Ingenious aside, I’d be very careful with an approach like this.

Risks and controlsare not, should not, be 1:1. Continue reading About ISO 27001 Risk Statement and Controls