First step is of course to identify the scope of the assessment and the assets ["Taking into account (...) the nature, scope, context and purposes of processing"]

Then you perform the risk assessment ["the risk of varying likelihood and severity for the rights and freedoms of natural persons"]

And finally review the risks, and decide on the risk treatment ["Taking into account the state of the art, the costs of implementation (...) the controller and the processor shall implement appropriate technical and organisationalmeasures to ensure a level of security appropriate to the risk"]

The GDPR does not specify a specific methodology, but you should of course document what you do to help demonstrate compliance with the Regulation.