Implementing a risk management framework is not an easy task, it is a very comprehensive and involves all departments of the organization. Whatever RMF you decided you use (NIST, ITIL, COBIT, etc.) will have to be tailored to your organization to align with your business processes and objectives, i.e., use components of the framework that fits your business needs, otherwise, your cost will be very high and success may not be realized.
NIST CSF/800 , aligns nicely with ISO 27k.
I created a hybrid of a few frameworks that works for me and has passed ISO27001, PCI-DSS and STAR. It scores 80+ threats (natural, human, software, physical…) from 1 - 1,000 with anything above 400 requiring treatment. Lower scores may still require treatment for a specific category (e.g. Impact) that was “scored in the red” even though the overall score is below 400. I then score each of those threats against the Critical Functions of the BIA so I can further pinpoint the scope of the threat. I perform this annually and share with the Steering Committee. This has resulted in both minor (badge to print to control personal use) and major changes (moved from DC to AWS for DR risk). After sharing with the Committee I create Jira tickets to track and then apply remediation timelines based on risk (High 30 days.....). Once resolved I share with the Committee and everything is documented in the quarterly Committee meeting notes.