Can you explain how document 14.1 should be filled out? I understand that there's some relationship to the risks listed in document 5.1, but I'm not sure which assets are required to be listed in document 14.1.
To be more specific, we're running a SAAS company with at least these three types of information systems:
Software used in internal development.
The software that we develop. Note that the version of this software changes as we're developing it.
The software that runs in the production environment.
I'm not sure which ones of these should be listed in 14.1.