Who must perform the Risk Assessment within the Company?

The risk assessment must be performed by all organization units involved with the ISMS scope (good practice would be the risk assessment being performed by one person from each department), either all together in a single process or in separated processes that will be consolidated later (this will depend on the size of the scope, its complexity, number of people involved, etc.). Regardless of the approach, you should consider the participation of the Information Security Manager, or someone with knowledge on the risk assessment process, to act as facilitator, supporting the organization units personnel to identify, analyse and evaluate the risks concerning their activities.

This article will provide you further explanation about the risk assessment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding the risk assessment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/