How to identify assets

Answer:
Regarding the first question, basically you need to list all the assets in your company and group them in some categories like hardware (laptops, printers), software, etc.

This article can help you to identify assets in your organization “How to handle Asset register (Asset inventory) according yo ISO 27001” : https://ad*********m/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

The risk assessment is done by assets, not by controls, so controls are selected after the risks have been identified. This article can be also interesting for you “The basic logic of ISO 27001: How does information security work?” : https://ad********* m/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Regarding your second question, you are right, ISO 27001:2013 does not require an asset based method for the risk methodology, although it is our recommendation because is very easy to understand, and the consequences and likelihood are still required in the current version of the standard.

Finally, these materials will help you to know more about how to perform the risk assessment & treatment in your organization:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://ad*********m/27001academy/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/