Question regarding Asset Based Risk assessment

 Dear Dejan, trust you are well.  I am doing my first Asset Based Risk Assessment and I am using your book Secure and Simple.  What to do with assets such as company mobile phones which do not have access to the company network and are not used to send any information in emails etc.  Do I list them in the Risk Assessment?

Answer: In case an asset does not have access to the information you want your ISMS to protect, then it does not need to be included in the risk assessment.

Please note that besides the situations you mentioned, there are other situations that may need to be considered in the risk assessment, such as:
- mobile phone with onboard cameras may take pictures of documents and screens
- mobile phone memory card's slots can be used to transport memory cards that had access to organization's data.
- if the phone is stolen, by accessing an email account a bad actor can reset passwords for company systems and access them.

 This article will provide you a further explanation about assets and risk assessment:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/