ISO 27005:2011 Annex B Section 1.2 describes a process for Asset identification that classifies primary and secondary assets which seems to be in contradiction to the Risk Assessment Categories that are in the 27001 Academy templates. I have been working to identify assets using the ISO 27005 methodology which focuses the primary assets on information assets rather than the secondary assets which are more people and equipment based which is how the template categories are defined. I think the primary information assets approach works well for my company as we are a software product company where the assets we have to secure are more centered around software, source code and customer data rather than the physical equipment. My question is having identified and assessed the primary information assets do I simply continue and assess the threats and vulnerabilities related to the secondary assets or is it sufficient to assess the primary assets, with the implication that the secondary assets will be covered by the primary assets?
ISO 27005 is not a mandatory standard, it is only a guideline that you may or may not choose to follow; the only relevant requirements for risk assessment are those written in ISO 27001.
ISO 27001 does not require classification in primary and secondary assets, and in our view such classification may be misleading - this is why we did not recommend such approach in our templates. For instance, I do not think that your core software is more important as an asset than your system administrator - they are both very valuable for the company, and they both carry very high risks.
To answer your question, I think that you should identify threats and vulnerabilities for all of your assets, no matter how you classify them. However, ISO 27001 does allow you the flexibility to define your own methodology, which means that in theory, you could use some simplified risk identification method for "secondary" assets.