Performing Risk Assessment

Answer: The first thing you should do is write your risk assessment methodology, so you can have in hand all the rules, considerations and steps regarding how to identify, analyse, and evaluate the risk. After all these items are properly documented you can proceed with the assessment itself (and be sure that people will ask you about these things during the assessment).

Considering the number of people, maybe it would be better to divide them in smaller groups (at most 20 people per facilitator), grouping them by process performed (e.g., accounts receivable, accounts payable, etc.), or by offices (Assuming that this number of people do not stay at the same room), or any other criteria you can use to divide them. Try to make cycles considering the threats and vulnerabilities f or a specific asset before going to another asset. Also consider to take with you checklists to help you identify risks, and paper to take notes of all information.

This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment