To enter the Risk Assessment double click the risk assessment you want to execute and it’ll pop up in a tab below the Risk Assessment tab (1). Next to it is the Assets tab (2). Select the Assets tab and click on the plus sign to select an asset (3). That will open up a pop up which displays the assets you already defined. See 4.5 Assets for more detail on that.

Now that you’ve selected an asset to do an assessment on, you must choose who’s responsible for that Asset (4). According to the ISO 27002 Standard, a Responsible Person (Owner) must be registered for all information Assets in addition to assessing their Confidentiality, Integrity and Availability. The Responsible Person cannot be the Business Entity itself, but must be a specific individual who is registered under a name or job position.

Then you can select an operator.The Responsible Person and the Operator need not be the same person. The Operator is also selected from a drop down list (5).

The System Administrator can be the Operator, while the head of the IT division is the person Responsible for the Asset.