Questionnaire for the Risk Assessment

1.- When performing the risk assessment and interviewing asset owners, is there a template of questions I should ask the asset owner to evaluate risks to that asset?
2.- Also beyond a template, what is the best way to create an asset owner questionnaire which includes technology specific risks?
3.- For example some of the technologies I am needing to evaluate for risk includes windows servers and sharepoint, how do I ensure to capture and ask security risk questions specific to that technology?
 

Answers:

1.- We don’t have a template of questions related to assets owners to evaluate risks, but assets owners simply can identify threats/vulnerabilities that can affect to their assets, so you can use a catalogue of threats/vulnerabilities and ask them what are applicable for their assets, asking also about consequences and likelihood. You can use for example this catalogue “Catalogue of threats & vulnerabilities” : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
2.- A questionnaire which includes technology spe cific risks is not necessary for the implementation of the ISO 27001, so we do not have this information because we are focused on the requirements of the standard. In this case, with the catalogue of my last answer is enough.
3.- Again it is not necessary. You can search threats related to software, for example: software errors, unauthorized use of software, unauthorized installation of software, etc.
Finally, this article can be interesting for you “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/