Risk Management and "Asset value" & Asset Criticality

1) Does ISO 27001/27005 requires the Risk Management process to use asset value as part of calculating the risk assessment level.

ISO 27001 and ISO 27005 do not prescribe the use of the asset value for risk assessment, so organizations are free to use any approach they see fit to their needs.

For further information, see:

• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

2) Does the standard require asset valuation as part of the Risk Management process? Or can be seen as an input, rather than a direct output of the process. That is to say, asset value is important to me as Risk Manager, but I need that input from the organization. It is not my responsibility to produce it as part of the RM process

ISO 27001 requires only that risks are evaluated, so you can either obtain this value as a result of asset valuation, or any other risk management related process or from direct input from the personnel involved in the risk assessment process. Please note that in either case, the responsibility for the value is from the personnel involved in the risk assessment process, but you, as Risk Manager, must ensure the processes are performed in the right way, and with the proper personnel.

3) What is the relationship between asset value and criticality assessment (like FIPS 199/200)? Again, I see asset criticality assessment as an input to RM, alas, not something that I am responsible for as part of the RM process.

Criticality analysis is a systemic approach to identify how critical an asset is to the business, to support the evaluation of potential risks, and highlight any business impacts associated with such risks. Considering that, for this approach, you do not need the asset value, but only the identification of the asset itself (in this case, you need to evaluate the impact caused by the lack or failure of the asset).

4) Finally, have you written a solid book (like the one on 22301) that explain in details how 27005 should be applied section for section?

Since ISO 27005 is a supporting standard for ISO 27001 implementation, we did not develop a book covering this specific standard but used its guidance and recommendations to develop the ISO 27001 Risk Management in Plain English.