Risk assessment - Assets or process?

Do you suggest to do risk assessment based on asset or business process? for your information, at this time we use asset based approach and it is too complex for our scope (about 1100 employee) have certification from IQNET, The certification is just for our network infrastructure. Now we are planning to extend the scope.

Answer:

If you have many assets (thousands of different assets of all type) involved in the scope of the ISMS, can be a good idea the risk assessment based on process, but keep in mind that in the risk assessment based on assets, you can have group of assets like “employees of a department”, “TVs”, “Desktops”, and any other group of assets that can be affected by the same threats/vulnerabilities, and this approach can reduce the risk assessment considerably. 
But also keep in mind that if you change assets/process in your risk assessment, you will need to start from 0, applying a new methodology in a complex scope.
So, if you reduce your risk assessment but the number of assets is high, and you can assume the eff ort to change the risk assessment and start from 0, my recommendation is the risk assessment based on process (it is not a problem in the ISO 27001:2013, I mean, you can use a risk assessment based on process without problem, although with the old ISO 27001:2005 you could not). If not, I think that you should maintain your current risk assessment, reducing it.
Finally, this article about the risk assessment, can be interesting for you “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
And also this article about problems with defining the scope can be interesting for you “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/