Can you explain how document 14.1 should be filled out? I understand that there's some relationship to the risks listed in document 5.1, but I'm not sure which assets are required to be listed in document 14.1.
To be more specific, we're running a SAAS company with at least these three types of information systems:
Software used in internal development.
The software that we develop. Note that the version of this software changes as we're developing it.
The software that runs in the production environment.
I'm not sure which ones of these should be listed in 14.1.
I’m assuming you are referring to Appendix 1 – Specification of Information System Requirements.
Considering that, you should create this record for each software listed in your Risk Treatment Table for which you have identified risks that need to be treated by control A.14.1.1 (Information security requirements analysis and specification). Please note that these records can be created either for each individual software or as a single record for a set of software which share the same security requirements.
Considering the software under development, you need to create a record for each new version (this will help you track the changes and evolution in security requirements)