CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

Risk owners vs. asset owners in ISO 27001:2013

Author: Dejan Kosutic

The 2013 revision of ISO 27001 introduced a new concept: the risk owner. Since this concept brought quite a lot of confusion with information security practitioners, here’s an explanation of what the risk owner is, and whether the concept of asset owner from the old 2005 revision of ISO 27001 is still valid.

What is the asset owner, according to ISO 27001?

Both the old 2005 and new 2013 revisions of ISO 27001 have the concept of asset owner as a control in Annex A – this is basically nothing but determining who is responsible for each asset in your company. In terms of information security, assets are not only the information in electronic and paper form, but also software, hardware, services, people, facilities, and everything else that provides value to an organization.

Why is this asset ownership important? Because if no one is responsible for an asset then no one will take care of it – only by strictly defining who is responsible for each document, each server, each external service, etc. will you make sure that each of those assets is properly protected and managed; not having owners of the assets would mean anarchy.

Asset-based risk assessment

Where the 2005 and 2013 revisions are different is that 2005 required the identification of asset owners both during the risk assessment process and as control A.7.1.2 in Annex A, whereas the 2013 revision doesn’t have this requirement in the risk assessment process and only as control A.8.1.2 in Annex A.

What’s more, the 2013 revision does not require so-called asset-based risk assessment, which would identify the risks based on assets, threats and vulnerabilities – according to ISO27001:2013, your company can identify risks using some other (less complicated) method.

However, my opinion is that asset-based risk assessment will continue to be a dominant method for risk assessment – especially if you choose to apply controls A.8.1.1 (identification of assets) and A.8.1.2 (assigning the owners to those assets). If you do list those assets, then you have already done a good part of asset-based risk assessment; in such case, even in the 2013 revision it makes sense to list assets (and their owners) during the risk assessment process.

What is the risk owner according to ISO 27001?

So then, what is the risk owner? ISO 27000:2014 defines the risk owner as a “person or entity with the accountability and authority to manage a risk.” Basically, this is a person who is both interested in resolving a risk, and positioned highly enough in the organization to do something about it.

So, for instance, an asset owner of a server might be the IT administrator, and a risk owner for risks related to this server might be his boss, the head of the IT department. The IT administrator will manage the server on a day-to-day basis, while the head of the IT department will take care of, e.g., investing in better protection, providing training to the IT administrator, etc.

In my opinion, the concept of risk ownership was introduced because very often, the asset owners did not have enough authority to resolve potential risks; besides, this concept also exists in ISO 31000, so this way ISO 27001:2013 was made compliant with ISO 31000.

How to choose the risk owners

When choosing risk owners, you should aim for someone who is closely related to processes and operations where the risks have been identified – it must be someone who will feel the “pain” if the risks materialize – that is, someone who is very much interested in preventing such risks from happening. However, this person must be also positioned highly enough so that his or her voice would be heard among the decision makers, because without obtaining the resources this task would be impossible. So, it seems to me that mid-level managers are often the best candidates for risk owners.

Even though the standard allows an entity to be a risk owner (e.g., a department or a business unit), I would not advise it – it is always better to have one individual who is in charge of resolving a problem than to have a group of people. For instance, if the head of the IT department is responsible for resolving the risk, it will be done much more quickly than if you had the whole IT department responsible for the same risk.

When it comes to appointing the risk owners, it is best done through the Risk treatment plan, since this is an action plan on how to resolve the risks – you should simply define for each risk who is responsible for implementing the controls. Read also Risk Treatment Plan and risk treatment process – What’s the difference?

To conclude, companies should determine both risk owners and asset owners when implementing ISO 27001 – the easiest way would be to determine them during the risk assessment process. And, by doing this properly, the implementation and operation of their information security will be a much easier job.

Click here to register for a free webinar  The basics of risk assessment and treatment according to ISO 27001.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

2 responses to “Risk owners vs. asset owners in ISO 27001:2013”

  1. Salim says:

    Can you give an example from Business perspective. For example IT head can be owner of the IT systems running on these servers but when it comes to Business Applications, Business must be owner of the systems. IT could be a mere custodian.

    • Rhand Leal says:

      Examples of business applications as assets that can be owned by business’ units are:
      – Customer Relationship Management (CRM) system can be designated to Customer Support department
      – Payroll system can be designated to HR department
      – Supply Chain Management (SCM) system can be designated to Procurement department

Leave a Reply

Your email address will not be published. Required fields are marked *

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/ISO 22301 Expert, Advisera

GET FREE ADVICE

Upcoming free webinar
How to integrate GDPR with ISO 27001
Wednesday – September 25, 2019

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.