ISO 27001

In the STREAM ISO 27001 Application, why are Information Assets defined separately to other Asset Classes?

In the ISO 27001 App, business assets are assets which PROCESS, STORE or COMMUNICATE information.  This includes technical infrastructure and networks, physical locations, third parties and people.  These are entered on the Assets menu.

Threats can directly affect such assets leading to the set of generated risks (threats to assets), and the compromise of information.

Is the set of Information Security threats provided within the ISO 27001 complete?

There is always a choice as to the level of threat definition that is appropriate in a given environment, and this is of course the choice of the organisation concerned.

Why are the ISO 27001 controls NOT linked directly to the information security threats (on dashboards), and can I make these linkages?

STREAM's 'threat/mitigation controls' setup is completely flexible, so YES it is possible to link the  ISO 27001 controls directly to the threats on the Setup screens.  (You would use the Threat Asset Class – Control Asset Class screen to do this).

What is the Vulnerabilities ON/OFF switch for, and do I need to use it for ISO 27001?

The 'Vulnerabilities' facility allows you to record lists of "Known Vulnerabilities" in relation to particular workspaces or registers in your dashboard hierarchy.