Asset register

1 - Should all these assets be included in the same column, having for example the categorization in another column or should I have 2 different tables, with a relation between supporting assets and primary ones?

 ISO 27001 does not prescribe how to build the risk register, so you can define it as better fits your organization. The most common approach is to use a single table for all assets, all listed in a single column (you do not need to define them as primary and supporting assets).

2 - Are the threats and vulnerabilities related to supporting assets and thus impacting the related primary assets? How should this be mapped in an Excel file?

ISO 27001 does not prescribe a risk assessment approach, only that you have to define one, so from our experience you do not need to think assets in terms of primary assets and support assets (this would only make your assessment unnecessary more complex). You can just link threats and vulnerabilities to a single level of assets

To see how risk assessment looks like, I suggest you take a look at the free demo of our Risk Assessment Table at this link: https://advisera.com/27001academy/documentation/risk-assessment-table/

These articles will provide you a further explanation about assets and risk assessment:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

  Feel free to enroll in our free course:

• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/