S07 - Appendix A.4 Risk-Based Thinking
| 6.1 specifies that the organization shall plan actions to address risks
There is no requirement for formal methods for risk management or a documented risk management process.
Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards.