Risk assessment

1. Identify risk (Threat and vulnerability) is responsible by asset owner? If true, how do they identify?

Answer:

The asset owner is responsible for protecting and managing an asset in a company, so he has to ensure risks are identified, either by performing risk identification by himself or by working with other people (e.g., experts on the asset or people who use them on a daily basis). Since ISO 27001 does not prescribe who must perform risk identification, both approaches are valid, and you have to consider your organization context (e.g., asset owner experience and knowledge) to chose the proper approach.

Regarding how to perform risk identification, I recommend you to use catalogues such as this one: Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

These articles will provide you further explanation about asset owner and risk identification:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

2. Assessing consequence and likelihood of risk is responsible by risk owner?

Answer:

Risk owner is a person designated to solve a risk, and to do so he must be responsible for performing consequence and likelihood assessment, either by himself or with support of other personnel.

This article will provide you further explanation about assessing likelihood and consequence:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

3. So for the one who is responsible for Risk assessment just pick up from them and then do the risk assessment?

Answer:

Risk assessment is the combination of risk identification, risk analysis and risk evaluation, so it is not a simple question of picking up risks, but identify them, define values for them, so they can be prioritized, and evaluate them against your criteria, so you can decide which ones have to be treated.

These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/