5 steps to an effective ISO 27001 risk assessment

Risk assessments are one of the most important parts of an organisation’s ISO 27001 compliance project. It’s impossible to put expensive and time-consuming measures in place for every risk that you might face, so you should use the assessment stage to gauge your biggest priorities and allocate resources responsibly.

Performing a risk assessment can be tricky, but this blog simplifies the process by breaking it down into five simple steps.

    1. Establishing a risk management framework

    These are the rules governing how you will identify risks; who you assign risk ownership to; how the risks affect the confidentiality, integrity and availability of the information; and the method of calculating the estimated damage of each scenario and the likelihood of it occurring.

    A formal risk assessment methodology needs to address four issues:

    1. Baseline security criteria
    2. Risk scale
    3. Risk appetite
    4. Methodology: scenario- or asset-based risk assessment


    1. Identify risks

    Identifying the risks that can affect the confidentiality, integrity and availability of information is the most time-consuming part of the risk assessment process.

    We recommend following an asset-based approach. Developing a list of information assets is a good place to start, but if you can find an existing list, most of the work will be done for you.

    1. Analyse risks

    You must identify the threats and vulnerabilities that apply to each asset. For instance, if the threat is ‘theft of mobile device’, the vulnerability is ‘a lack of formal policy for mobile devices’.

    1. Evaluate risks

    You need to weigh each risk against your predetermined levels of acceptable risk (i.e. your risk appetite), and determine which risks you need to address and which ones you can ignore.

    1. Select risk treatment options

    There are four ways you can treat a risk:

    1. Avoid the risk by eliminating it entirely
    2. Modify the risk by applying security controls
    3. Share the risk with a third party (through insurance or by outsourcing it)
    4. Retain the risk (if the risk falls within established risk acceptance criteria)

Learn more about risk assessments

Join Sharon O’Reilly in the third webinar in our ISO 27001 webinar series, ‘Conducting a cybersecurity risk assessment’, which will introduce you to the steps that should be taken to assess the information security risks your organisation will face, including:

  • The five-step approach to conducting a risk assessment;
  • Information security versus cyber security;
  • Choosing appropriate risk treatment options;
  • Unpacking the key controls necessary for effective cyber security;
  • Reviewing, monitoring and reporting on the risk assessment; and
  • ISO 27001 and effective information security risk management.


Date: 31 August 2018. Time: 2:00 – 3:15 pm (GMT)

Register now >>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.