Methodology for risk assessment in ISO 27001

Answer:

ISO 27001:2013 do not define risk methodology, only requirements on risk assessment and risk treatment process. There are many examples for risk methodologies, I would only generally divide them in quantitative and qualitative (or combine) risk assessment.

This article give you couple of examples of qualitative methodology: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

These materials will also teach you how to define the risk assessment methodology:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/