ISO 27001 Risk Assessment
Browse ISO 27001 topics
ISO 27001 Risk Assessment
Risk assessment is the engine that drives every decision within an ISO 27001 ISMS. The standard does not prescribe a specific methodology but requires that your approach is systematic, repeatable, and produces comparable results over time. Getting risk assessment right determines which controls you implement, how you allocate resources, and ultimately whether your security program addresses real threats or just checks boxes.
What ISO 27001 Requires
Clauses 6.1.2 and 8.2 of ISO 27001 set out the requirements for risk assessment. At a high level the standard requires you to:
- Define a risk assessment process that establishes criteria for risk acceptance, criteria for performing assessments, and ensures that repeated assessments produce consistent and comparable results.
- Identify information security risks by identifying risks associated with the loss of confidentiality, integrity, and availability of information within the scope of the ISMS, and identifying the risk owners.
- Analyze and evaluate risks by assessing the realistic likelihood and potential impact of each risk, determining the level of risk, and comparing results against your risk criteria to prioritize treatment.
These requirements give you flexibility in choosing a methodology while ensuring the outcome is rigorous enough to withstand audit scrutiny.
Choosing a Risk Assessment Methodology
There is no single correct methodology. The key is that your chosen approach meets the standard's requirements for consistency and comparability. Common approaches include:
Qualitative Assessment
The most widely used approach for ISO 27001, qualitative assessment uses descriptive scales (such as low, medium, high, or critical) for both likelihood and impact. Risks are plotted on a matrix and ranked accordingly.
Advantages: Accessible to non-technical stakeholders, faster to execute, easier to maintain. Limitations: Subjective by nature, can produce inconsistent results if criteria are not well-defined.
Semi-Quantitative Assessment
This approach assigns numerical values to qualitative scales (for example, 1 through 5 for likelihood and impact). The risk level is calculated by multiplying or adding these values, producing a numerical score that enables more granular ranking.
Advantages: More granular than pure qualitative, still manageable without complex data. Limitations: The numbers can create a false sense of precision if the underlying scales are poorly calibrated.
Quantitative Assessment
Fully quantitative approaches express risk in financial or operational terms, often using methods like Factor Analysis of Information Risk (FAIR). Likelihood is expressed as frequency, and impact is expressed in monetary loss.
Advantages: Enables cost-benefit analysis for control investments, speaks the language of business leadership. Limitations: Requires reliable data that many organizations do not have, significantly more complex.
Most organizations pursuing ISO 27001 certification start with a qualitative or semi-quantitative approach. The standard does not require quantitative analysis, and auditors are primarily concerned that your methodology is defined, documented, and consistently applied.
Building Your Risk Assessment Process
Step 1: Define the Scope and Context
Before identifying risks, confirm the scope of your ISMS and understand the internal and external context (clause 4). This includes the regulatory environment, contractual obligations, organizational structure, technology landscape, and threat landscape relevant to your operations.
Step 2: Identify Assets and Information
Create an inventory of information assets within scope. Assets include data repositories, applications, infrastructure, personnel, processes, and third-party services. Some organizations take an asset-based approach where risks are identified per asset. Others take a scenario-based or threat-based approach. Either is acceptable.
Step 3: Identify Threats and Vulnerabilities
For each asset or scenario, identify realistic threats (what could go wrong) and vulnerabilities (weaknesses that a threat could exploit). Common threat categories include:
- Malicious external attacks (ransomware, phishing, DDoS)
- Insider threats (accidental or deliberate)
- System failures (hardware, software, infrastructure)
- Natural events (fire, flood, power outage)
- Third-party and supply chain failures
Step 4: Assess Likelihood and Impact
Using your defined scales, rate each risk for likelihood (how probable is this event given current controls) and impact (what damage would result in terms of confidentiality, integrity, or availability). Document the rationale for each rating so it can be reviewed and challenged.
Step 5: Calculate and Rank Risk Levels
Combine likelihood and impact ratings to determine the overall risk level. Plot risks on a risk matrix or score them numerically. This ranking drives prioritization.
Step 6: Evaluate Against Risk Criteria
Compare each risk level against your organization's risk acceptance criteria. Risks that fall below the acceptance threshold may be accepted with documentation. Risks above the threshold require treatment.
The Risk Treatment Plan
Clause 6.1.3 requires a risk treatment plan that documents how each unacceptable risk will be addressed. For each risk, you select one or more treatment options:
- Mitigate. Apply controls to reduce likelihood, impact, or both. Controls are typically selected from Annex A but can come from any source.
- Transfer. Shift the risk to a third party, commonly through insurance or outsourcing to a provider with contractual security commitments.
- Avoid. Eliminate the activity or condition that creates the risk.
- Accept. Acknowledge the risk and choose not to treat it further, with formal approval from the risk owner.
The risk treatment plan must specify:
- The controls or actions selected
- Who is responsible for implementation
- Implementation timelines
- How effectiveness will be measured
This plan feeds directly into your Statement of Applicability, which declares which Annex A controls are applicable based on your risk treatment decisions.
The Risk Register
The risk register is the central repository that tracks all identified risks, their assessments, treatment decisions, and current status. While ISO 27001 does not mandate a specific format, your risk register should capture:
- Risk ID and description. A unique identifier and clear description of the risk scenario.
- Risk owner. The person accountable for managing the risk.
- Likelihood and impact ratings. Both inherent (before controls) and residual (after controls).
- Risk level. The calculated overall risk score.
- Treatment decision. Mitigate, transfer, avoid, or accept.
- Controls applied. Links to specific Annex A controls or custom controls.
- Residual risk. The remaining risk level after treatment is applied.
- Status and review date. Whether the risk is open, in treatment, or closed, and when it was last reviewed.
A well-maintained risk register is one of the most scrutinized artifacts during certification audits and surveillance audits. Auditors want to see that it is current, that risks have been reviewed on schedule, and that treatment plans are progressing.
Continuous Risk Monitoring
Risk assessment is not a one-time activity. ISO 27001 requires ongoing monitoring and review of risks (clause 8.2 states risk assessments must be performed at planned intervals or when significant changes occur). Triggers for reassessment include:
- Organizational changes. Mergers, new products, entering new markets, significant staffing changes.
- Technology changes. Migrating to new platforms, adopting new tools, decommissioning legacy systems.
- Threat landscape changes. New vulnerability disclosures, emerging attack patterns, incidents at peer organizations.
- Incident outcomes. Lessons learned from security incidents or near-misses within your own organization.
- Audit findings. Results from internal audits, external audits, or penetration tests.
Embed risk review into existing operational rhythms. Monthly or quarterly risk review meetings, integrated with change management processes, keep the risk register alive without creating a separate bureaucratic process.
Common Mistakes
Boiling the ocean. Trying to identify every conceivable risk creates an unwieldy register that no one maintains. Focus on realistic, material risks within your scope.
Inconsistent criteria. If different assessors interpret "medium likelihood" differently, your risk rankings become meaningless. Invest time in calibrating your scales with concrete examples.
Static risk registers. A risk register that is updated once a year for audit purposes provides little actual security value. Risks change continuously, and your register should reflect that.
Ignoring residual risk. After applying controls, you must reassess the remaining risk. If residual risk still exceeds your acceptance criteria, additional treatment is needed.
Disconnecting risk from controls. Every control in your Statement of Applicability should trace back to one or more risks. Controls without risk justification and risks without corresponding controls both indicate process problems.
Making Risk Assessment Practical
The goal is not to create perfect risk models but to make informed, defensible decisions about where to invest in security. Keep your methodology as simple as your context allows, ensure risk owners are genuinely engaged, and use tooling that makes the risk register a living document rather than a static spreadsheet.
Platforms like episki link risk register entries directly to controls, evidence, and review schedules, ensuring that risk treatment decisions stay connected to operational reality. Explore the full ISO 27001 framework to see how risk assessment integrates with the rest of your compliance program.
