I’m busy with making an inventory of our assets and to start assessing the risks. I see that you’re f.e suggesting keys or UPS devices as an asset. For me both relate to another asset namely: building/office and the server room.
If we take some examples of the asset list we could easily do a risk assessment of the building or the server room and come to the same risks. f.e. threat: theft and vulnerability: inadequate procedure for protecting the “keys” or threat: interruption of power supply, vulnerability: old “UPS” with no maintenance, etc.
I can come up with many other examples such as air-conditioning, alarm etc. as the risks could be found with other related assets. How should we deal with this ? I suppose it doesn’t matter ? As long as we identify the risks ?
The lists provided in the templates are only suggestions for you to use if you can't come up with your own elements, so you can use only your own assets, threats and risks to build you inventory and risk assessment (it seems to me that by your examples you already understood the concepts for performing risk assessment).
It is important to note that you can also group the assets if threats/vulnerabilities are similar.