Risk Analysis

I am creating documentation for Risk Management, The documentation says risk assessment, I want to know which GAP is missing or we are talking about the same. The requirement to be met is: Implement a formal information risk management process that includes the identification and classification of information assets, risk impact, risk probability and risk scores with quantitative definitions, risk treatments, definition of plans treatment, formal follow-ups, implementation of steering committee meetings and cycle re-visit in accordance with ISO-27005 and execute the first annual risk assessment

 I'm assuming you are referring to the ISO 27001/ISO 22301 Risk Assessment Toolkit when you say "La documentación dice evaluación de riesgo" (The documentation says risk assessment).

Considering that, the toolkit covers all requirements for risk assessment and treatment defined by ISO 27001, which also recommends the adoption of ISO 27005 (there are no GAPs in the documentation). In the toolkit, you will find the following documents:

• Risk Assessment and Risk Treatment Methodology
• Risk Assessment Table
• Risk Treatment Table
• Risk Assessment and Treatment Report
• Statement of Applicability
• Risk Treatment Plan

To see how the documents look like, please access the free demo at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

This article will provide you further explanation about risk management for ISO 27001:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/