ISO 27001 Risk Assessment

What is an ISO 27001 Risk Assessment?

ISO/IEC 27001:2022 clause 6.1.2 requires every certified organization to establish, implement, and maintain a documented risk-assessment process. 

The clause insists on clear risk assessment criteria and auditable outputs (a live risk register and a risk treatment plan) but purposefully stops short of prescribing a specific method for how to do risk assessments in ISO 27001. 

Related ISO 27001 Risk Assessment Terms

Risk Assessment

A formal process within ISO/IEC 27001:2022 for identifying, analyzing, and evaluating risks to an organization’s information assets. The goal is to determine which risks are unacceptable and require treatment.

Inherent Risk

The level of risk before any controls are applied. It represents the potential impact and likelihood of a threat occurring in an unmitigated state.

Residual Risk

The remaining level of risk after controls and mitigation strategies have been implemented.

Risk Treatment

The process of selecting and applying measures (controls) to reduce or manage risks to acceptable levels.

Risk Appetite

The level and type of risk an organization is willing to accept in pursuit of its objectives.

Risk Criteria

The benchmarks or thresholds against which risk is evaluated. Includes likelihood scales, impact definitions, and acceptability thresholds.

Annex A Controls

The 93 security controls listed in ISO 27001:2022 are used to treat risks identified during the assessment.

ISO 27001 Risk Assessments: Build Security on Your Terms

Clause 6.1.2 of ISO/IEC 27001:2022 requires every certified organization to establish, implement, and maintain a documented information security risk assessment process.

• Use defined risk-assessment criteria (likelihood, impact, acceptance levels)
• Be repeatable and produce consistent, valid, and comparable results
• Deliver a risk register and feed into the risk-treatment plan

This flexibility is essential, because a fintech startup in the cloud, for example,  faces different risks than a hospital running on legacy systems.

What The Standard Requires

ISO 27001 Clause	What Auditors Look For	Proof You Need
6.1.2 a–b	Defined risk-assessment criteria	Scales, scoring rules, and language approved by leadership
6.1.2 c–d	Identified, analyzed, and evaluated risks	Current risk register showing assets, threats, scores, and control coverage
6.1.3	Planned and justified treatment actions	SoA mapping each unacceptable risk to Annex A or other justified controls
8.2	Monitoring and review	Evidence of periodic and event-driven reassessments

ISO 27001 Risk-Assessment Process

1. Frame the Context	Define the ISMS scope, objectives, legal/regulatory drivers, and stakeholder expectations.
2. Build / Import Asset Inventory	Catalog data, devices, applications, people, facilities, and suppliers- kicking off the iso 27001 third-party risk assessment track.
3. Set Risk-Assessment Criteria	Establish likelihood & impact scales, acceptance thresholds, and name risk owners (management-approved).
4. Identify Threats & Vulnerabilities	Pull from incident logs, CVE feeds, threat libraries, and staff workshops.
5. Analyse & Evaluate	Score inherent risk, map existing controls, calculate residual risk, and compare against the acceptance threshold.
6. Decide the Treatment	Choose to avoid, transfer, accept, or mitigate; link each unacceptable risk to Annex A controls.
7. Approve & Record	Leadership signs off the risk register, treatment plan, and Statement of Applicability.
8. Monitor & Refresh	Run scheduled reviews plus change-triggered spot checks for ongoing ISO 27001 certificate maintenance, risk assessment, and mitigation.

Key Reports Associated with ISO 27001 Risk Assessments

ISO 27001 Risk Assessment Report 

A narrative summary of the entire exercise: scope, methodology, criteria, findings, and business-impact overview. Auditors read this first to understand how you ran the assessment and why certain risks matter most.

Risk Register 

The live spreadsheet (or platform view) lists every identified risk with its inherent and residual scores, owner, status, and links to evidence. It is your single source of truth for day-to-day risk monitoring and audit sampling.

Risk-Assessment & Treatment Methodology

A standalone document that explains the scoring scales, likelihood/impact definitions, and decision rules you follow when accepting, mitigating, transferring, or avoiding risk. It proves consistency and repeatability across assessments.

Risk Treatment Plan

An action tracker showing what must be done to bring each unacceptable risk down to an acceptable level. It names the control(s) selected, the person accountable, deadlines, budgets, and progress updates- turning analysis into execution.

Statement of Applicability (SoA)

A control-by-control list of all 93 Annex A measures, marking each as implemented, not applicable, or planned, and giving a justification for every exclusion. The SoA is the bridge between risk findings and the control environment that auditors will test.

FAQ: ISO 27001 Risk Assessments

Q: How often do I need to perform a risk assessment?

A: ISO 27001 doesn’t mandate a frequency, but you must define one and stick to it. Most organizations reassess annually or after significant changes.

Q: Can I use a spreadsheet for my risk assessment?

A: Yes, if it’s well-structured, consistently updated, and tracks risk status, control mapping, and ownership.

Q: Is an ISO  27001 risk assessment tool required?

A: No, but platforms help automate evidence collection, versioning, and reporting.

Q: Who should be involved?

A: Risk owners across functions: IT, legal, HR, ops, and security. Broader input leads to better risk visibility.

Q: Do I have to use CVSS or FAIR?

A: No. Any defined, documented, and consistent methodology is valid under ISO.

Q: What do auditors focus on?

A: Traceability, stakeholder involvement, current documentation, and how risks link to the SoA and treatment plan.