Approaching asset-based risk assessment for a cloud provider

How to approach asset-based risk assessment for a cloud provider like Microsoft Azure? 

To perform an asset-based risk assessment for a cloud provider you have to consider primarily the risk assessment of the assets controlled by your organization.

For example, for an IaaS cloud provider, where the provider controls the hardware and basic operational systems, this would mean to assess risks related to your data and the software applications you manage. In case it is a SaaS provider, where the provider controls the hardware and software, this would mean to assess risks related only to your data.

This article will provide you more information to understand this issue:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

What level of detail is recommended?

ISO 27001 does not prescribe levels of detail, so an organization is free to adopt any level of detail it sees fit. Our recommendation for you is to adopt a level of detail so you can have confidence you have sufficient information to identify relevant risks and proper security controls to be implemented by your organization and the cloud provider.

These articles will provide you a further explanation:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/