Performing risk assessment

My reasoning is based on the understanding that risk assessment (where assets and their associated threats and vulnerabilities are defined and evaluated) are then treated by controls. Therefore, Annex A is a collection of controls used to treat risks associated with certain assets.

As an exercise to improve my understanding, I have tried to link the Annex A controls back to assets but I’m finding that a bit challenging. For example, what asset(s) would be tied to control A.5.1.1 (“A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.”)? Working backwards using an Asset, Threat, Vulnerability approach, I came up with:

Control: A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.

What vulnerabilities would warrant such a control? Lack of or uncl ear Policy. Lack of support for Policy by Management. Lack of awareness of Policy with employees and relevant external parties.

What is the threat? Lack of management direction and support. What asset? Any information security asset with risks controlled by Policy.

Could you give some advice on how you see the Annex A controls relating back to assets in need of protection?

Answer: First it is important to note that for ISO 27001 the final purpose of risk assessment and treatment is to protect information and related assets, not implement controls (for risk treatment control implementation is only one available alternative), so working backwards on the asset-threats-vulnerabilities methodology, by identifying which assets can be tracked to controls from ISO 27001, is a non-productive work that should be avoided (this approach will definitely not work on an implementation project).

Working this way you will be involved in an effort to identify assets for controls that you may not even need to implement, because there will be no relevant risks or legal requirements demanding its implementation, spending time and resources.

So, you should focus on first identifying information and assets your organization deems important to protect, and then go for identification of controls to treat relevant risk.

Considering that, risks you can relate to control A.5.1.1 involves assets vulnerable to user's error or improper behavior due to unclear or non existent rules or guidance (as you can see, a lot of assets can be included in this scenario, so the best approach is for you to identify which ones exist on your ISMS scope).

This article will provide you further explanation about performing asset-threat-vulnerability risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/