5 steps to an effective ISO 27001 risk assessment

Risk assessments are one of the most important parts of an organisation’s ISO 27001 implementation project.

The process can be tricky, but we’ve simplified it in this blog by breaking it down into five easy-to-follow steps.

1. Establish a risk management framework

The risk management framework governs how you identify and manage risks.

This includes who you assign risk ownership to; how the risks affect the confidentiality, integrity and availability of the information; and the method of calculating the estimated damage of each scenario and the likelihood of it occurring.

A formal risk assessment methodology needs to address four issues:

  1. Your organisation’s core security requirements
  2. Risk scale
  3. Risk appetite
  4. Methodology: scenario- or asset-based risk assessment

There is no one right way to handle any of these issues. Indeed, ISO 27001 is a lot less prescriptive than many other information security standards, enabling your organisation to create a plan that’s tailored to its needs.

2. Identify risks

Identifying which risks can affect the confidentiality, integrity and availability of information is the most time-consuming part of the risk assessment process.

We recommend following an asset-based approach, focusing on your information and the ways it can be compromised.

You can do this by developing a list of information assets, but if your organisation has an existing list, most of the work will already be done.

This process is simpler than the alternative – a scenario-based approach – which requires you to run through a variety of security incidents and track the damage through your organisation.

3. Analyse risks

Next, you must identify the threats and vulnerabilities that apply to each asset.

For example, if the threat is ‘theft of mobile device’, the vulnerability might be ‘a lack of formal policy for mobile devices’.

4. Evaluate risks

Now it’s time to assess how significant each risk is. It’s wasteful to implement measures in response to every risk you face, so you should use a risk assessment matrix to help you identify which risks are worth treating and prioritise them.

A risk matrix can be used to prioritise risks

Most risk assessment matrices look like this, with one axis representing the probability of a risk scenario occurring and the other representing the damage it will cause. In the middle, you have scores based on their combined totals.

You should use the matrix to score each risk and weigh the totals against your predetermined levels of acceptable risk (i.e. your risk appetite). The scores will determine how you address the risk, which is the final step in the process.

5. Select risk treatment options

There are four ways you can treat a risk:

  1. Avoid the risk by eliminating it entirely
  2. Modify the risk by applying security controls
  3. Share the risk with a third party (through insurance or by outsourcing it)
  4. Retain the risk (if the risk falls within established risk acceptance criteria)

The method you choose will depend on your circumstances. Avoiding the risk is obviously the most effective way of preventing a security incident, but doing so will probably be expensive if not impossible.

For example, many risks are introduced into an organisation by human error, and you won’t often be able to remove the human element from the equation.

You’ll therefore be required to modify most risks. This involves selecting relevant controls, which are outlined in Annex A of ISO 27001.

Need help documenting your risk assessment process?

IT Governance’s ISO 27001 ISMS Documentation Toolkit includes templates of every document you need to comply with the Standard, including comprehensive coverage of the risk assessment process. This toolkit makes it easy to document your:

  • Risk assessment procedure;
  • Risk management framework; and
  • Risk treatment plan.

Designed and developed by expert ISO 27001 practitioners, and enhanced by more than ten years of customer feedback and continual improvement, our ISO 27001 toolkit provides the guidance and tools you need for a hassle-free compliance process.

Find out more


A version of this blog was originally published on 10 September 2019.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.