Asset management

a.- Do we have to list assets that contains information only?

b.- I understand ISMS is about Information Security, but in our asset list we have listed equipment such as UPS, Generator, Cooling system etc.  Is that OK?

c.- And since we have listed these items in our asset register, it’s also included in our risk register

d.- Our risk methodology is asset based ( from version 2005 ) . Now in 2013, we know that there’s a flexibility, but we are still keeping it asset based. However can we include other risks that is not derived from Assets – threats/vulnerabilities?

Answer:

a.- No, if you have chosen to follow the asset-based risk assessment then you have to list both the assets that contain the information (e.g. CD-s, computers, etc.) and the assets that do not contain the information but can influence the security of information (e.g. air conditioning in the server room). 
 
b.- Yes, you can identify these assets, because they are related to the maintenance of the information systems (U PS, generator, etc), which are related to the information security. 

c.-  Ok, right whichever list is created first, it will serve for developing the other list. 

d.- In principle, if the risk is related to the information security, yes, you can include it in your risk assessment. Also you can maintain your Risk methodology asset based. Anyway, I recommend you this article “What has changed in risk assessment  in ISO 27001:2013”: https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/

Finally, if you need more information about how to identify assets, I recommend you this article “How to handle Asset register (Asset inventory) according to ISO 27001” https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/