1. Risk Assessment Table & Risk Treatment Table: What if the risk is non-existent? Would we still have to document this? Let us say for example gaining physical access to the cabling room (at the office) or the server cage (at the datacenter) is nearly impossible, because you need a badge for the cabling room and aside of that people in the company will see the unauthorized personnel. As for the datacenter, there are 4 security procedures / authentication methods to prevent unauthorized personnel from entering.
I couldn't think of a vulnerability, so I assume I should not document this?
Answer: In your example you have to document the risk because probably it is nearly impossible because of all controls you already have implemented (e.g., badge, security procedures, and authentication methods). These implemented controls should be included in the last column of the Risk Assessment Table.
Included in your toolkit you have access to a video tutorial that can provide you guidance on hoe to fill in the Risk Assessment Table, using real dat a as examples.
2. Regarding the tab 'Asset owner' and 'Risk owner' which is important in several documents: Let us take laptops as an example, each employee has received a laptop from the company but the legal owner of this laptop is the organization. Who shall I put as Asset Owner and Risk Owner? Asset Owner: CTO/Employer, Risk Owner: CTO/Employer?
Answer: For ISO 27001, the asset owner is the person who is responsible for the asset, to ensure it is properly protected, not its legal owner. The risk owner is the person accountable for managing the risk, i.e., to reduce it to acceptable levels. In your example the asset owner can be the the employee responsible for the laptop, while the risk owner can be the CTO.
3. Control A.12.1.3 Capacity Management, I'm trying to think of a possible risk but I wouldn't know what kind of information security risks there could be. I know that the budget for (potential) IT assets is a part of this control, but as for the rest it's not very clear to me. Could you possibly give me some more information about Capacity Management or at least about possible risks which are related to IT Security?
Answer: Capacity management is related to planning resources to fulfill demand when required, ensuring agreed service levels, so risks related to capacity management are most related to information not being available when needed, e.g., due to a faulty equipment which has no redundancy, demands above implemented resources (e.g., during Denial Of Service - DOS - attacks), technology obsolescence, etc.