Risk analysis process

ISO 27001 does not prescribe how long an organization should take to implement the risk management process, so this time is defined by each organization to fit their needs, but from our experience 3 years is far too much for the risk assessment to be performed. For small companies of up to 50 employees it should be finished within a week or two, and for a company of ca 200 employees this generally takes a couple of weeks, and for a company of 500 employees, this is ca 4 weeks' time.

This is generally achieved by implementing a risk management process with a simple approach. In case you need something more complex, you should consider this more complex implementation later in the process, so people can become used to the concept of risk management, and you can have identified risks faster.

For example, you can start risk analysis with a qualitative approach (most based in perceptions, easier to understand, quicker to perform, but less accurate), and after that go for your more complex approach.

 These articles will provide you a further explanation about risk identification:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment