Policy and procedure development

Answer:

The first step is to identify which requirements the policy and procedure must fulfill. For example, your organization may have contracts, laws, or regulations with clauses defining which approach to adopt for risk assessment (e.g., quantitative or qualitative approach), or which acceptance criteria to use. After identifying those requirements you should consider the context of your organization regarding size, processes complexity, and staff maturity.

These articles will provide you further explanation about documents development:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How detailed should the ISO 27001 documents be? https://a dvisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/

These materials will also help you regarding documenting risk assessment and treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/