I also have questions about risk assessment. I am asking for guidance in relation to the following questions:
1. The risk assessment methodology document is the same for 22301 and 27001? There is no direct reference to ISO 22301 in the sample document, only ISO27001. Is it appropriate in case I'm not only implementing 27001? Let’s suppose I implement ISO 22301 or possibly ISO 22301 + 27001 simultaneously.
2. Do I understand correctly that risk assessment should cover all business processes / activities involved in the business continuity management system?