We are planning for ISO 27001 certification for one delivery center located at some location. Delivery center IT management (Networks, Servers, Security, Helpdesk, Application) required to deliver services to customer remotely is managed by other IT team which are not the part of scope.
My Query is regarding RISK assessment process. Who will own the risk. Lets take example i.e Firewall being used by Delivery center is managed by IT team, so who will accept the risk related to all firewalls i.e Delivery center management or IT department management.
Other way is do not mention firewall asset in asset register as Delivery center define OLA's with IT department for all services (Network support, server support etc.) and cater this requirement in OLA's. Please assist what should be the approach in this scenarios.
I'm not sure if I understood your question correctly, but all the assets in your ISMS scope must be listed, you cannot leave out any of the assets.
The risk owner must be a person who is both interested in resolvin g the risk, and has the authority to do something about it. So in the case of risks related to the network, this is probably head of your IT department.
In my risk assessment , If I am listing firewall (it is a shared resource which is being for support organization also including delivery center) as an asset managed by IT team which is not the part of ISMS scope, and highlight risk like Hackers, Unauthorized access. What is required to be filled in existing control column of my risk assessment sheet? Do I need to mention the controls implemented by IT team to mitigate those risk or do I need to mention control implemented by Delivery center as a supplier to controls those risks in firewall.