Documentation - Scope
The first step that must be taken before starting a risk analysis is determining the scope. It is especially impractical for large organizations to perform a single risk analysis for the entire organization. It would then be wiser to perform multiple risk analyzes in which you focus on a smaller part of the organization for each risk analysis.
If this is your first time performing a risk analysis, focus on the vital processes of the organization. The vital processes of an organization are the processes that ensure that the main products or services that an organization provides can actually be delivered. Take the information systems of a vital process as the scope for a risk analysis. Decide for yourself whether certain vital processes can be treated together in a single risk analysis.
So, defining the scope means determining which information systems you include in the risk analysis. The scope can consist of the information systems belonging to, for example, a process, a department, a project or a collection of information systems that belong together for another reason. Be careful about choosing your scope too wide. The danger of a scope that is too broad is that you do not go deeply enough into important details and therefore get a too superficial picture of the actual risks.