Controls

Terug naar overzicht
Category

SB.1.002 Governance of Processes and Systems

Asset Management
Low
Low
Low
Organisation
v2.0 (Q1 2024)

The Information Systems and Processes are identified and registered. Each System and Process has an owner within the organisation. The owner is responsible for compliance with the organisational information security policy. Ownership falls to a single person and not to an organisational unit.

Systems and Processes are classified according to the organisational classification policy to determine the appropriate level of protection. The classification is reviewed and updated periodically. The owner is responsible for the classification.

Specification

Yearly review of the classification is recommended. Organisations should employ a wide definition of systems to ensure appropriate protection of assets important to business processes. Systems should therefore include SaaS applications from suppliers.

It is recommended to have a classification scheme that distinguishes between the potential impact on the organisation in terms of Availability, Integrity and Confidentiality. Impact can be considered in terms of financial impact, reputational impact, impact on primary business functions (such as education and research), impact on (personal) lives, impact on regulatory compliance.

ISO 27001 & 27002:2022

5.3,
A5.2,
A5.4,
A5.9,
A5.10,
A5.12,
A5.13,
A5.33,
A5.34,
A7.7,
A7.10,
A8.26,
A8.33

SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)

OR.01 Eigenaarschap
DM.01 Data (en systeem) eigenaarschap
DM.02 Classificatie
DM.03 Beveiligingseisen voor Datamanagement