Risk Assessments for Early Start up

ISO 27001 does not prescribe assets and threats to be used for risk assessment, so you should consider assets and threats regarding your own organizational context (e.g., industry, adopted technologies, etc.). Without this kind of information is not possible to provide a more detailed answer.

What we can say at this moment is that you should avoid using so broad categories, because assets/threats related to them may require different treatment approaches. For example, in software, you can have off-the-shelf software and internally developed software. For the network, you can have firewalls and switches. As for the environment, you may have fire and flood.

Included in your toolkit you have a Risk Assessment Table with lists of assets, threats, and vulnerabilities commonly used in information risk assessment. It is located in folder 05 Risk Assessment and Risk Treatment. Additionally, you have access to a video to a video tutorial that can help you perform risk assessment, using real data as an example.  

These articles will provide you a further explanation about risk assessment:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/