To implement clause 6.1, an organization can determine the risks by performing a brainstorming session with the management team or decide to use a specific tool for risk determination, taking into consideration the following:
- context of the organization and interested parties
- products and services
- processes of the organization

Risk evaluation does not need to be a formal process; the organization can organize a meeting with the management team and decide which risks are the most significant for the organization. A good practice is to select specific criteria to determine the significance of each risk.

Risks are controlled by operational controls defined for every significant risk. The organization should monitor the effectiveness of these operational controls.

Notes: Criteria for the evaluation of risks are defined by each organization, depending on its own needs.

Examples:
- Identification can be performed by the management team using a SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats). E.g., a risk can be the lack of competence of employees in the customer service department.
- Evaluation can be performed using Impact and Probability criteria to determine the significant aspects. E.g., the Impact and probability of lack of competence of employees can be high, so it should be considered a significant aspect.
- Control of risks can be performed, ensuring that customer service department employees are appropriately trained.