1. How does one put in the risk/control of the asset?
I have read your website in terms of implementation isms for iso27001.
First I have classified my assets, label them, checked the risk of each.
Now how will this relate to the iso controls?
That I don't understand is that the iso has annex, controls and some questions (or advice)
Because... let me take an example of an annex
Ok, let's say employees are also an asset. So taking the annex 7.2.2
"Information security awareness, education and training"
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
Does this mean one just has to educate the workers and partners on policies and then he is compliant to this annex?
2. I watched one of your videos about ISO27001, whereby the speaker gave a simple method of risk assessment table. So what impact is that table having on the iso requirement?
3. Assuming I have 10 assets but 3 are having a risk but 7 are okay.... which controls of the ISO27001 is this related to?