Why is risk only calculated based on Phycial Assets? What about best practices and processes and controls that are missing in an entity and causing risk?? Example HR practices, Asset practices. Does the CIA apply here?
Can I not calculate Risk along the same columns of controls defined in SOA and create another Risk assessment sheet for other Assets like Hardware mostly under CIA.