Chapter 4. Information Assets and the Information Security Risk Assessment

An asset-based information security risk assessment is the key to any ISO27001 ISMS, forming the lion’s share of the Plan phase of the initial P-D-C-A cycle for implementation.

To undertake the risk assessment it is necessary to have defined the scope of the ISMS, and of course to have understood the concept of information security assets: it is the assets that are the subject of the risk assessment.

For the risk assessment to be effective a comprehensive information-asset register needs to be produced. That is to say, a list of everything that has value to the organisation, including information, information processing and storage equipment (every server, computer, laptop, ...

Get An Introduction to Information Security and ISO27001: A Pocket Guide now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.