richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/ISMS/Assets Ownership and Risk Overview.md

6.2 KiB
Raw Blame History

Assets, Ownership, and Risk: Structured Overview

1. Core Concept: What Is an Asset?

An information asset is anything that has value to an organization. It can take many forms:

  • Printed or electronic documents
  • Intellectual property and proprietary knowledge
  • Personal data
  • Knowledge of processes
  • Physical items
  • Information systems that process, store, or transmit information

Selected definitions:

Source Definition
ISO/IEC 27000:2018 Anything that has value to an organization (e.g. printed documents, electronic documents, intellectual property, personal data, knowledge of processes, physical items).
NIST SP 800-53 Information and the information systems that process, store, and transmit that information.
DAMA-DMBOK A resource of value that an organization uses to understand, operate, and innovate.
Gartner IT Glossary A collection of information that is defined and managed as a standalone entity and is considered of value.
(ISC)² CISSP Official Study Guide (Chapple, Stewart et al., p.64) Anything within an environment that should be protected — anything used in a business process or task. If an organization places any value on an item and deems it important enough to protect, it is labeled an asset for purposes of risk management and analysis.

Examples of assets (CISSP): computer files, network services, system resources, processes, programs, products, IT infrastructure, databases, hardware devices, furniture, product recipes/formulas, intellectual property, personnel, software, facilities.

Consequences of asset loss or disclosure:

  • Overall security compromise
  • Loss of productivity
  • Reduction in profits
  • Additional expenditures
  • Discontinuation of the organization
  • Numerous intangible consequences

2. Assets in Relation to Vulnerabilities, Threats, and Risks

The relationship between the four concepts can be summarized as:

A threat exploits an exposed vulnerability to damage an asset, which results in a risk to the organization.

This relationship is known as the Operations Security Triple (assets, vulnerabilities, threats).

On risk materialization: A risk can be seen as a theoretical threat scenario. When a risk "materializes," an anticipated or potential threat has actually taken place — exploiting a vulnerability, affecting an asset, and resulting in actual harm or loss.

3. Asset Ownership

ISO 27001 Requirements

ISO 27001 explicitly requires asset ownership in two controls:

  • A.8.1.2 — Every asset should have an owner.
  • A.9.2.5 — Asset owners must periodically evaluate access rights.

Determining Ownership: The RUMC Model

The following model was shared by Remco Landegge, Security Expert Radboud UMC (2 December 2024). Remove all references to Radboudumc before reusing.

When asset or process ownership is unclear, it can be determined by mapping the situation to one of four scenarios:

Situation 1 (B1): Asset/process used within a single organizational unit

The head or director of that organizational unit is the owner (E1).

Note: for institutes, this applies only to assets/processes needed within their own unit — not to those required for the complete core task.

Situation 2 (B2): Asset/process used across multiple departments, or a department and a centre

The director of the core task in which the asset/process is used is the owner (E2). The owner operates independently and in a facilitating role, to ensure all stakeholders (across departments and/or centres) are involved in decisions about functionality, security, and service levels.

Situation 3 (B3): Asset/process used across multiple institutes

The directors of the institutes involved jointly determine who the owner is (E3). The owner operates independently and in a facilitating role to ensure stakeholder involvement across institutes.

Situation 4 (B4): Asset/process spanning (virtually) all parts of the organization, with no owner claimed

First, determine whether the asset/process is actually needed. The three institute directors and directors of supporting services jointly decide (E4). If no consensus is reached, the Board of Directors appoints an owner (E4).

Notes on Linked Content

The source files reference the following related notes in the vault:

Asset classes