Use ISO 27005:2022 as a guide to help you develop a risk and opportunities methodology. Add the ‘risk treatment plan’ to the Statement of Applicability. Employees may be able to include this assessment in your internal audits, but it may be helpful to use an outside cybersecurity specialist for this activity.