This Master Thesis is compiled in the spring of 2019 and seeks to develop a risk assessment meth-od and risk assessment tool for use in the Danish commune of Hjørring. This particular subject is researched with inspiration from Design-Based Learning and through a phenomenological point of view. The idea is to develop a risk assessment method and risk assessment tool by using the four phases of Design-Based Learning and the method participant observation. The first phase is di-rected by a felt study done in the autumn of 2018, where the point was to research how the com-mune of Hjørring did risk assessments with qualitative methods such as interviews, participant observation and document analysis. The result was that the commune needed an organized process to lead the risk assessment work and a collaboration between the information security coordinator and the users of the it-systems. The phase then leads into a state of art analysis of other risk as-sessment methods to compare them and analyze how they live up to the ISO27001-standard and how the new assessment method can differ from these other methods. In the second phase the risk analysis tool and the risk analysis method are developed by using Microsoft Excel as a tool. In the third phase the design of the risk assessment method is tested in practice with the help of employ-ees in the commune. To do this the researcher is using the method facilitation where the risk as-sessment method is tested in practice and the employees is educated on how to do a risk assess-ment. Furthermore, in phase four the test is evaluated with the qualitative methods interview and participant observation. The interview is performed with a Google Analysis formula, where the informants is asked two questions: what was functioning well in the workshop and what was not. The result showed that the employees would like to participate in the workshop again, but there are problems with the risk assessment method. The same result is showed in the participant observa-tion examination. The problem with the risk assessment method is the vulnerability classification of the it-system. The classifications are not right for the commune as an organization and they are hard to use in practice. The conclusion is, that there needs to be done a second iteration process to identify new problems and correct the found problems in the risk assessment method. The risk as-sessment tool is not tested in practice in this Master Thesis and needs to be tested in the next itera-tion.