1. How detailed and far does the inventory of assets need to be? (do we need to list each laptop and cell phone for example)
2. When a risk assessment is performed does the risk owner have to do a risk assessment on all the assets every year or the assets that are deemed to be threats or vulnerable.
3. Why is the inventory of assets not listed under the reference document as well as 3.1.2 in the Risk assessment and risk treatment Methodology document?