Where do you assess your assets relating to confidentiality, sensitivity and integrity principle? And how do I incorporate this in the Risk assessment? In other words, should an asset have a high rating in sensitivity, how does it affect the impact?
Please note that for ISO 27001 risk assessment confidentiality and integrity, alongside availability, are related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets. So, sensitivity is not related to risk assessment.
Considering that, when using an asset-based approach for risk assessment, you need to consider the loss of confidentiality, integrity, and availability to identify risks and impacts, not sensitivity.
Sensitivity is a concept related only to control A.8.2.1 – Information Classification (alongside legal requirements, value, and criticality).
Only when results of risk assessment, or applicable legal requirements, define control A.8.2.1 as applicable is that you need to classify information regarding sensitivity, due to unauthorized disclosure (i.e., loss of confidentiality) or modification (i.e., loss of integrity).
In other words, the impact in risk assessment affects sensitivity rating, not the other way around (the greater the impacts due to loss of confidentiality or integrity, the greater should be the sensitivity rating, to ensure proper controls are implemented to protect the information).