Asset based

One of ISO practitioner told me According to ISO27K:2013 standard, Risk assessment should be based on services instead assets. It should be services --Threats --Vulnerabilities --risk and then map risk to assets. Is this correct?
Also will you please share a sample organisation structure that includes CISO, ISM and Information Security officer along with CIO, COO and CEO
 

Answer:

With the ISO 27001:2013 is not necessary that your methodology be based on assets, can be based in services or also in process. And you can assign, to each service, threats/vulnerabilities, and after map risks to assets (although I think that this last step is not necessary). Anyway, I recommend you to read this article “What has changed in risk assessment in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Regarding to your question related to the CISO, we do not have a document with this, but I think that this article can be interesting for you “Chief Information Security Officer (CISO) - where does he belong in an org chart?” : https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

Antonio,

As suggested , even through the 2013 version is not made any mandate for the methodology, I feel risk assessment based on Process/services makes sense than depends on granular asset. Also if it is service/business process based, identification of risks that business needs to worry much is easy than asset based methodology

Depending of the business can be more/less easy. Generally if you have many assets (think in a multinational: thousands) can be a good idea to use a process based methodology, but if not, maybe can be better to use a asset based methodology.