Assets, Threats and Risk assessment

Answer: If the legal actions are taken as a result of lack of information, caused by duties not being performed on time, this situation must be included on your risk assessment, so you can determine if the risk of this situation is unacceptable, and implemented controls as needed.

2 - How can we reflect them in our documentation?

Answer: You should add asset(s) that handle information from these duties (e.g., payment system XYZ, email server, etc.) in your asset inventory, and related risks should be recorded in your risk assessment (e.g., payment delayed by system downtime or processing error may cause a contractual breach). The risks considered unacceptable must be included in the risk treatment plan, where proper controls should be defined (e.g., sy stem redundancy / processing results review).

This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

3 - Can we consider them as our services? In one of your articles I saw this:

“Outsourced services – e.g. legal services or cleaning services, but also online services like Dropbox or Gmail – it is true that these are not assets in the pure sense of the word, but such services need to be controlled very similarly to assets, so they are very often included in the asset management.”

Are these examples also similar to my case?

Answer: If I'm understanding correctly, these activities are being performed by your own organization, so in this case it is more appropriate for you to refer in your inventory to the assets that handle the information, like I explained in the first question.

4 - It is also not clear for me, how can for example cleaning services affect the risk assessment process? (Aren’t they more like threats than assets?)

Answer: According to 27001 clause 8.1, outsourced processes must be determined and controlled, so, outsourced cleaning services, as well as any other outsourced services, must be included in the risk assessment to ensure they do not represent a risk to information security, or in case they introduce unacceptable risks, to ensure those risks are treated properly.

Regarding how cleaning services may affect the risk assessment process, this service, as well as any other outsourced services, may require, for example, that people who work for this external organization, may have access to your environment and information, and if you do not consider them malicious people (e.g., industrial spies), or untrained people,may cause your information to be compromised (e.g., damaged, lost, or stolen), and you should consider these risks and treat them properly (e.g., by means of contracts, training, etc.).

This article will provide you further explanation about assets and threats:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding assets and risk assessment and treatment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/