Risks definition and SoA

1 - Is there something else- more specific- that I can get from you in order to do it right?

Answer: Basically it is rather easy to follow the asset-based methodology - you have to list all the assets, then list all the threats to these assets, and then the related vulnerabilities. The template "Risk Assessment Table" has sheets with examples of assets, threats and vulnerabilities you can use to identify your organization's risks.

For risk assessment I suggest you to take a look at this article:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Additionally, I can suggest our free ISO 27001:2013 Foundations Course (https://advisera.com/training/iso-27001-foundations-course/ ) which will explain you the basics of risk assessment and treatment.

If you understand that this additional information is not enough to solve your doubts, included in the toolkit you have scheduled consultations with one of our experts so you can present him the situations you are facing and he will help you define how to handle them.

To schedule a consultation with our expert, please access this link: https://advisera.com/27001academy/consultation/ and provide him as many information as you can so at the scheduled time he can provide you a more effective support.

2 - In addition- is it mandatory to write the Business Continuity Management Policy?

Answer: If you want to be compliant with ISO 27001 only, then Business Continuity Policy is needed; if you want to be compliant with ISO 22301 then BC Policy is mandatory.