First at all, thank you very much for your help. It is helping me to understand how to do things in a better and simpler way.
Q1 – HR department has most of systems they use externalized with 3rd parties. These covers our official web site, personnel information, Payroll and other tools. The 3rd parties do the technical management, and our HR use the systems maintaining the information. My guess is that these systems aren’t assets we need to protect, because are out of our control, but the information belong to us.
How should treat this case in terms of assets, risk assessments and controls?
In case the information you want your Information Security Management System to protect interact with these systems, then you need to ensure these systems fulfill your information security standards.
In cases like these, where you find relevant risks to information that are related to systems managed by third parties, you need to consider controls from section A.15 (Supplier relationships), which will help you enforce your security needs and requirements upon suppliers.
For information about controls from section A.15 (Supplier relationships), I suggest you look at these articles: