Risks identification and treatment

Asset: server 1 (internal), threat: fire, system failure, unauthorized access to information, breach of data protection, OR;
Asset: external supplier (technical support), threat: unauthorized access to information, breach of data protection (due to remote access)

Answer: In fact both your approaches are correct. By addressing the unauthorized access to information and breach of data protection on the server, you cover as threat anyone who can have access to the server (internal users, internal technical staff and external technical support). By addressing the unauthorized access to information and breach of data protection on the external supplier, you consider this specific user (the external supplier) is a threat that may require fur ther analysis.

Regarding controls application, for the server you could consider limiting user access to server and folders by implementing access control lists, while for the external supplier, besides access control lists you could consider service agreements and procedures for remote access (e.g., remote access would be deactivated by default and only activated when needed).

This article will provide you further explanation about risk identification:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk identification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Thanks! I think I got the point. It seems that it is required to be pragmatic in the assessment...