How to do risk assessment on sample of assets
Assign topic to the user
ISO 27001 RISK ASSESSMENT TABLE
Implement risk register using catalogues of vulnerabilities and threats.
Get it now 
ISO 27001 RISK ASSESSMENT TABLE
Implement risk register using catalogues of vulnerabilities and threats.
Get it now
ISO 27001 RISK ASSESSMENT TABLE
Implement risk register using catalogues of vulnerabilities and threats.
Get it now
Answer: You can group all similar assets together, so in your case you could have one item called "Critical firewalls" and for this item find threats, vulnerabilities, etc. See also this article: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Also, if there are 10 sites in the scope of the certification audit, so at the time of surveillance audit (how can auditor do sampling of site i.e. what to include and what not).
Answer: If you are asking about the surveillance visit that is performed by the certification auditor, then this is the decision made by the certification auditor, not the company that has the certificate. They make such decision based on the importance of particular sites, and based on the fact where did they find most of the nonconformities during the previous visit.
See also: Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
Comment as guest or Sign in
Sep 14, 2016