The objective of A.8.1 is to identify the data assets that are within the scope for the ISMS and to define protection responsibilities. Run a discovery to identify all information assets within your organization, such as paper records, digital files, removable devices and email. Then create an asset registry. For each asset, assign a data owner the responsibility of protecting it.
specifies the types of controls organizations need to implement in order to ensure accurate identification of information security assets, designate responsibility for security, and ensure data assets are protected based on their classification levels. The controls defined by the regulation that are divided into technical, organizational, legal, physical and human resource controls.
Note that ISO 27001 does not specify an exact list of sensitive assets; your organization makes that decision using its best judgment.
The annex is broken into three main subparts, which are described briefly below. Then we will take a deeper dive into the second subpart, which concerns data classification.
More Info: entry level it certifications
No comments:
Post a Comment