Getting Started with the Scope of Assessment
Scope of Assessment (IASME Question Booklet)
You will also need to answer questions regarding the computers, laptops, servers, mobile
phones, tablets, firewalls/routers and cloud services that are connected to the internet and accessing organisational data or services. All locations that are owned or operated by this organisation or sub-set, whether in the UK or internationally, should be considered "in-scope".
The level of detail required for devices is as follows:
With the exception of network devices (such as firewalls and routers), all other devices within the scope of the certification only requires the information about the make and operating system.
Additionally, maintaining a comprehensive and up-to-date asset inventory is a fundamental and critical component of any vulnerability management program. Modern IT environments encompass on-premise, cloud infrastructure, mobile devices, ephemeral and transient assets, web applications, IoT devices, and more. Asset identification of all connected assets within an organisation is a common baseline requirement in a number of security standards and frameworks. Devices are detected through active scanning with Nessus and passive network analysis with Nessus Network Monitor to build a comprehensive list of assets and provide a clear picture of risk in the environment. For more detailed information on asset inventory and discovery reference the Asset Inventory and Discovery Cyber Exposure Guide.