Implementing ISO 27001 information security risk management

Step 1: Identify the internal and external issues in our company
Step 2: Identify the risks and opportunities that would arise from each internal and external issue
Step 3: Bring the risk items identified during "step 2" to risk assessment
Step 4: Devise a separate plan to utilize the opportunities.
Step 5: Develop the risk treatment plan.

Answer:

To be compliant with ISO 27001 the risk management must follow these steps:
- Definition of a risk assessment and treatment methodology
- Performing of risk assessment (risk identification and risk analysis)
- Performing of risk treatment (risk evaluation and controls selection)
- Elaboration of a risk treatment report
- Elaboration of Statement of Applicability (SoA)
- Elaboration of Risk Treatment Plan and acceptance of residual risks

To see how a risk assessment and treatment process looks like, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

This article will provide you further explanation about implementing risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/