This technical report helps a responsible organization through the key decisions and steps required to establish a risk management framework, before the organization embarks on a detailed risk assessment of an individual instance of a medical IT-network. The steps are supported by a series of decision points to steer the responsible organization through the process of understanding the medical IT-network context and identifying any organizational changes required to execute the responsibilities of top management as defined in Figure 1 of IEC 80001-1:2010.