Risk assessment process

Considering the most common steps for implementation of ISO 27001, the following mandatory documents must be available before risk assessment starts:

• Scope of the ISMS (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)

The risk assessment and risk treatment methodology is not a mandatory document (the standard only requires the process to be defined and implemented), but it is considered a good practice to have the methodology documented.

The Scope will define which assets and/or processes are included in the ISMS, which is the base for doing the risk assessment. The Information security policy will define basic responsibilities. 

This article will provide you a further explanation about implementation steps:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ 
• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding implementation steps:

• Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/