This document provides guidance on: — implementation of the information security risk requirements specified in ISO/IEC 27001; — essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information security risk management activities; — actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8); — implementation of risk management guidance in ISO 31000 in the context of information security. This document contains detailed guidance on risk management and supplements the guidance in ISO/IEC 27003. This document is intended to be used by: — organizations that intend to establish and implement an information security management system (ISMS) in accordance with ISO/IEC 27001; — persons that perform or are involved in information security risk management (e.g. ISMS professionals, risk owners and other interested parties); — organizations that intend to improve their information security risk management process.