Quick question, please. When doing an ISO 27001 Asset-based risk assessment, do I keep the assets that have no impact on information security still in the risk assessment matrix or do I only keep assets that have an impact on information security
I'm assuming that by asset-based risk assessment you mean the asset-threat-vulnerability approach.
Considering that, even in case a set of asset-threat-vulnerability rises no risk to the information that is part of the ISMS scope, you should maintain it in the Risk Assessment, for record purposes. First, because this way you can keep track of already identified sets of assets-threats-vulnerabilities you thought were relevant, which in future assessments will save you time in risk identification (you will not need to work on the identification of these risks again), and since the risk is a dynamic variable, in a future assessment these sets may indeed raise a risk that may require treatment (e.g. due to a technological change or new legislation).
These articles will provide you a further explanation about risk assessment: