I am currently required to carry out an information security risk assessment for an assignment, using the ISO 27005:2011 standard, for the Equifax data breach that occurred in 2017, https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/
What I've gathered from chapter 8 of the 27005 document so far is that the risk assessment process is generally divided into three sections. First, risk identification followed by risk analysis and risk evaluation.
I am currently working on the risk identification section and would appreciate any assistance on methods or techniques I can use to appropriately identify some assets, threats, vulnerabilities and controls relevant to the incident above or more generally. (I'm not looking for the actual items, just ideas on what to look for in the articles related to the incident)