Risk assessment methodology

Answer: Defining a methodology means to define the rules which will guide you through risk assessment, exactly to answer questions like the ones you asked (others may be how calculate a risk, how decide whether accept a risk or not, etc.), so all people in your organization will have the same criteria for assessing the risks, ensuring comparable and repeatable results. And besides making your risk assessment easier to handle, in terms of the standard, it is required that you first establish your methodology.

As for qualitative and quantitative approach, you can apply both according your requirements, but in most of the cases for small and medium-sized business, the qualitative approach will be sufficient (quantitative assessment requires a complex mathematical approach justified only for few high impacting ris ks).

2 - Further, do have any practical guide on risk assessment , for example identify one assets and identify related risks , threat and vulnerabilities in detail with practical approach.

Answer: In the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment. Additionally, in the book Secure and Simple that you bought, you will find in sections 7.3 to 7.5 detailed information and examples of risk identification, and on appendix M you will find a useful catalogue of threats and vulnerabilities to help you build your risk assessment.