One of ISO practitioner told me According to ISO27K:2013 standard, Risk assessment should be based on services instead assets. It should be services --Threats --Vulnerabilities --risk and then map risk to assets. Is this correct?
Also will you please share a sample organisation structure that includes CISO, ISM and Information Security officer along with CIO, COO and CEO
As suggested , even through the 2013 version is not made any mandate for the methodology, I feel risk assessment based on Process/services makes sense than depends on granular asset. Also if it is service/business process based, identification of risks that business needs to worry much is easy than asset based methodology
Depending of the business can be more/less easy. Generally if you have many assets (think in a multinational: thousands) can be a good idea to use a process based methodology, but if not, maybe can be better to use a asset based methodology.