ISO 27001 risk assessments

ISO 27001 is the international standard that sets out the specifications of an information security management system (ISMS), a best-practice approach to addressing information security that encompasses people, processes and technology. Conducting risk assessments is a core element of an ISO 27001 project. 

How an ISO 27001 risk assessment works

Risk assessments are conducted across the entire organisation, covering all potential risks to its established information assets. Businesses then need to produce a set of controls to minimise the identified risks and determine the appropriate budget for doing so.  

ISO 27001 provides not only technical controls, but also solutions that cover people and organisational processes. The 114 controls provided in Annex A of the Standard span the breadth of information security management and include areas such as security staff awareness programmes, encryption, incident management processes and physical access control

Five simple steps to an effective ISO 27001 risk assessment

A risk assessment process that meets the requirements of ISO 27001:2013 should have five steps:


Establish a risk management framework

A formal risk assessment methodology makes sure that risks are properly and consistently identified, evaluated and mitigated, and the responsibility for doing so is properly delegated. Your risk assessment methodology needs to be signed off by top management and should address the following four points:

  • Baseline security criteria
  • Risk scale
  • Risk appetite
  • Scenario or asset-based risk assessment


Identify risks

The most time-consuming part of the risk assessment process is identifying risks to the confidentiality, integrity and availability of your data. IT Governance suggests following an asset-based approach: establishing a list of your information assets and assessing the risk associated with each. It is easiest to start with an existing list of your information assets. This can include hard copies, electronic files, removeable media, mobile devices and IP addresses.


Analyse risks

The next step is to establish the threats and vulnerabilities associated with each asset. For example, your established threat might be ‘theft of laptop’ and the vulnerability might be ‘no formal policy governing use of portable devices’. Impact and likelihood values can be assigned on the basis of your company’s own risk criteria.


Evaluate risks

This means assessing each risk against your established acceptable risk level and selecting which risks need to be prioritised for mitigation on that basis.


Select risk treatment options

There are four risk responses to choose from:

  1. ‘Terminate’ the risk by eliminating it completely. 
  2. ‘Treat’ the risk by applying security controls. 
  3. ‘Transfer’ the risk to a third party (via outsourcing or insurance). 
  4. ‘Tolerate’ the risk (if it falls within your established risk acceptance criteria).

Compile risk reports

Organisations must produce a set of risk assessment reports for audit and certification purposes in an ISO 27001 project.

  • Statement of Applicability (SoA)
    All organisations seeking ISO 27001 certification must produce a list of all controls from Annex A of the Standard, together with a statement justifying either the inclusion or exclusion of each control.

  • Risk treatment plan (RTP)
    On the basis of your risk assessment, your risk treatment plan describes how your organisation intends to address the risks identified.

Review, monitor and audit

Continual improvement is a requirement of ISO 27001, which means that organisations need to continually review, update and improve the ISMS (information security management system) to ensure its optimal functioning and efficacy protecting your information assets from external and internal threats.

Internal audit provides one method of continual review. An internal audit produces a set of reports to demonstrate that risks are being appropriately treated.

Controls from Annex A fall into 14 categories:

  • A.5 Information security policies.
  • A.6 Organisation of information security.
  • A.7 Human resources security.
  • A.8 Asset management.
  • A.9 Access control.
  • A.10 Cryptography.
  • A.11 Physical and environmental security.
  • A.12 Operational security.
  • A.13 Communications security.
  • A.14 System acquisition, development and maintenance.
  • A.15 Supplier relationships.
  • A.16 Information security incident management.
  • A.17 Information security aspects of business continuity management.
  • A.18 Compliance.

Risk assessments are conducted across the whole organisation. They cover all the possible risks to which information could be exposed, balanced against the likelihood of those risks materialising and their potential impact. Once the risk assessment has been conducted, the company needs to decide how it will manage and mitigate those risks, based on allocated resources and budget.

Risk assessment standards

A number of other information security and risk assessment standards support ISO 27001:

  • ISO/IEC 27005:2011 – Guidance for information security risk management.
  • ISO/IEC 31000:2009 – Risk management principles and guidelines.
  • ISO/IEC 31010:2009 – International standard for risk assessment techniques

Free: Risk assessment and ISO 27001 green paper

Download this paper to find out more and unravel some of the issues surrounding the risk assessment process.

Download now >>

Let’s get started on your ISO 27001 risk assessment project

IT Governance has the widest range of affordable risk assessment solutions that are easy to use and ready to deploy.

ISO 27001 risk assessment solutions

Speak to an expert

Find out more about ISO 27001 training and book your course online.

This website uses cookies. View our cookie policy