Risk assessment comprises three steps according to ISO 27005: risk identification, risk analysis, and risk evaluation. In the first step you determine assets, threats, and vulnerabilities. In the second step you estimate likelihood and impact. In the third step you compare the resulting risk levels against the risk-acceptance threshold and prioritise risks. The assessment is carried out at least annually or on an ad-hoc basis when significant changes occur. Results feed into the risk-treatment plan.