Risk Assessment

Now that the Asset Register is complete, including all assets; Soft, computer, accessories, server, information and infrastructure, is it best to risk assess each item on the register to understand the threats and vulnerabilities?

Answer: Yes, you should have to assess the risks for all assets on asset register. The understanding of ISO 27001 control A.8.1.1 - Inventory of assets is that all assets in the inventory (asset register) are considered relevant in the life cycle of the information, so if you do not assess the risk for one asset you have on the register, you either have a non conformity issue, or that asset should not be in the register at all. But you should note that you also have to add to the register your employees, and suppliers (because of competencies and resources provided) - you need to perform risk assessment on them, too.

These articles will provide you further explanation about Risk Assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assess ment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding Risk Assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/