In your booklet "Step-by-step explanation of ISO 27001/ISO 27005 risk management", you use a risk calculation where "asset value" is part of the formula. My questions are:
1) Does ISO 27001/27005 requires the Risk Management process to use asset value as part of calculating the risk assessment level.
2) Does the standard require asset valuation as part of the Risk Management process? Or can be seen as an input, rather than a direct output of the process. That is to say, asset value is important to me as Risk Manager, but I need that input from the organization. It is not my responsibility to produce it as part of the RM process
3) What is the relationship between asset value and criticality assessment (like FIPS 199/200)? Again, I see asset criticality assessment as an input to RM, alas, not something that I am responsible for as part of the RM process.
4) Finally, have you written a solid book (like the one on 22301) that explain in details how 27005 should be applied section for section?