Risk management

Answer: Non-tangible assets related to information or information processing facilities are also considered assets for ISO 27001. In fact, intellectual property usually is one critical information asset to be protected.

For more information about assets, please see this article:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

2- Is it possible to get a sample of a completed Appendix 1 – Risk Assessment table looks like?

Answer: Included in the toolkit you bought you have access to a video tutorial that can help you fill the risk assessment table, providing examples with real data.

3 - We are struggling with do we identify every single possible threat or just go with the most likely threats.

Answer: The identification of every single possible threat is unfeasible, so you have to focus on the most likely ones. To minimize chances that you miss a relevant threat, the risk identification step should count with the participation of personnel with knowledge about the situation being analysed (e.g., key users, systems administrators, etc.).

4 - Does the vulnerability relate to the threat or is it mutually exclusive in this table as in one has nothing to do with the other.

Answer: a vulnerability is weakness, associated to one or more assets, that can be exploited by one or more threat, so there is a relation between them.

5 - Can there be a 1 to many relationship of threat to vulnerability?

Answer: a single threat can explore many vulnerabilities, the same way a vulnerability can be exploited by many threats.

6 - Can an asset have many threats with many vulnerabilities?

Answer: A single asset can have many threat associated to it, and as explained in the previous answer, these threats can explore many vulnerabilities.

7 - Can a single threat or a single vulnerability have many controls?

Answer: Single threats / vulnerabilities can have multiple controls designated to handle them. In fact in many cases this is the most common situation (which we call "defense in depth", where multiple controls are implemented to ensure that if one fails some sort of security still remains, giving people more time to identify and react to the threat).

These articles will provide you further explanation about risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/