IT risk identification

Answer: According to ISO 27001, you must establish a risk assessment methodology, which involves:
1) Defining how to identify the risks that could cause the loss of confidentiality, integrity and/or availability of your information
2) Defining how to identify the risk owners
3) Defining criteria for assessing consequences and assessing the likelihood of the risk
4) Defining how the risk will be calculated
5) Defining criteria for accepting risks

For risk identification, the most common approach is the identification of assets and threats and vulnerabilities related to them.
These articles will provide you further explanation about risk assessment:

- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match asse ts, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/