Key Takeaways: ISO 27001 Clause 8.2 Information Security Risk Assessment
ISO 27001 Clause 8.2 requires organizations to execute the information security risk assessment process defined in Clause 6.1.2. While the earlier clause covers the planning and methodology, Clause 8.2 is about the operational “Do” phase. You must actively identify, analyze, and evaluate risks at planned intervals or whenever significant changes occur. This ensures that your understanding of the threat landscape remains current and that your controls are prioritized based on actual risk rather than guesswork.
Core requirements for compliance include:
- Planned Intervals: Risk assessments must be conducted regularly (e.g., annually) or when significant changes occur (e.g., new product launch, merger, or major system upgrade).
- Asset-Based Approach: You must identify information assets (data, devices, software) and the specific threats (e.g., ransomware, theft) and vulnerabilities (e.g., unpatched software, weak passwords) associated with them.
- Risk Analysis: You must assign scores to risks based on their Likelihood (how often it might happen) and Impact (how bad it would be). This is often done using a risk matrix (e.g., 5×5).
- Risk Evaluation: You must compare the calculated risk score against your organization’s Risk Appetite. Risks above the acceptable threshold must be treated (fixed), while those below may be accepted.
- Documentation: You must retain documented information of the results. A Risk Register is the standard tool for this, serving as the central “source of truth” for your security posture.
- Communication: The results of the assessment must be communicated to risk owners and relevant stakeholders to ensuring they understand their responsibilities.
Audit Focus: Auditors will look for “The Living Document”:
- Freshness of Data: “Show me your Risk Register. When was the last time this specific risk was reviewed? (If it’s dated 18 months ago, that’s a nonconformity).”
- Trigger-Based Assessments: “You migrated to a new cloud provider last month. Show me the specific risk assessment you conducted before that change went live.”
- Owner Awareness: “Who owns this ‘High’ risk regarding vendor access? If I ask them, will they know they own it and what the treatment plan is?”
Risk Assessment Process Checklist (Audit Prep):
| Step | Action Required | Evidence Example |
| 1. Identify | List assets, threats, and vulnerabilities. | Asset Inventory & Threat Log. |
| 2. Analyze | Score Likelihood x Impact. | Risk Matrix Calculation (e.g., 4 x 5 = 20). |
| 3. Evaluate | Compare against Risk Appetite. | “Risk Score 20 > Acceptable Level 15.” |
| 4. Treat | Decide: Mitigate, Transfer, Avoid, or Accept. | Link to Risk Treatment Plan. |
| 5. Review | Re-assess after changes or annually. | Updated “Last Reviewed” Date. |
Table of contents
- What is ISO 27001 Clause 8.2?
- Watch the ISO 27001 Clause 8.2 Tutorial Video
- How to implement ISO 27001 Clause 8.2
- ISO 27001 Clause 8.2 Implementation Checklist
- ISO 27001 Clause 8.2 Audit Checklist
- ISO 27001 Risk Register Template
- ISO 27001 Risk Management Policy Template
- Fast Track ISO 27001 Clause 8.2 Compliance with the ISO 27001 Toolkit
- ISO 27001 Clause 8.2 FAQ
- Further Reading
What is ISO 27001 Clause 8.2?
ISO 27001 clause 8.2 focuses on executing the Information Security Risk Assessment. While clause 6.1.2 covers the planning stages, 8.2 is about putting that plan into action. The standard requires organizations to define, implement, and actively carry out a risk assessment process. Crucially, this process must generate and maintain documented evidence of the assessment, typically through a risk register.
ISO 27001 Clause 8.2 Definition
ISO 27001 defines ISO 27001 Clause 8.2 as:
The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
ISO 27001:2022 Clause 8.2 Information Security Risk Assessment
The organisation shall retain documented information of the results of the information security risk assessments.
Watch the ISO 27001 Clause 8.2 Tutorial Video
In the ISO 27001 tutorial How to Implement ISO 27001 Clause 8 I show you how to implement it and pass the audit.
How to implement ISO 27001 Clause 8.2
For details on how to conduct an ISO 27001 risk assessment read The Complete Guide to ISO 27001 Risk Assessment that walks you through it step by step.
ISO 27001 Clause 8.2 Implementation Checklist
1. Establish Risk Assessment Methodology
Define a clear and documented risk assessment methodology, including criteria for likelihood, impact, and risk acceptance. This should align with the organisation’s context and objectives.
Challenge
Difficulty in selecting a suitable methodology that fits the organisation’s size, complexity, and risk appetite. Methodologies can be complex and require specialist knowledge.
Solution
Research different methodologies (e.g., qualitative, quantitative, hybrid) and choose one that is appropriate. Consider using ISO 27001 templates and seeking expert advice if needed. Start with a simpler approach and iterate.
2. Identify Information Assets
Catalogue all information assets within the scope of the ISMS, including data, systems, processes, and physical assets.
Challenge
Overlooking critical assets, especially intangible ones like reputation or intellectual property. Maintaining an up-to-date asset inventory can be difficult in dynamic environments.
Solution
Use a structured approach to asset identification, involving representatives from different departments. Implement a process for regularly reviewing and updating the asset inventory. Utilise automated discovery tools where possible.
3. Identify Threats
Identify potential threats that could exploit vulnerabilities and compromise information assets. Consider internal and external threats, including natural disasters, cyberattacks, and human error.
Challenge
Keeping up with evolving threat landscape, especially cyber threats. Bias towards focusing on common threats and overlooking less frequent but potentially devastating ones.
Solution
Regularly consult threat intelligence sources, participate in industry forums, and conduct penetration testing and vulnerability assessments to stay informed. Use threat modelling techniques to explore potential attack scenarios.
4. Identify Vulnerabilities
Identify weaknesses in the information system that could be exploited by threats. This includes technical, organisational, and human vulnerabilities.
Challenge
Difficulty in identifying all vulnerabilities, especially those related to complex systems or human behaviour. Vulnerability scanning tools can generate a large number of false positives.
Solution
Conduct regular vulnerability scans and penetration testing. Implement a process for reporting and tracking vulnerabilities. Provide security awareness training to address human vulnerabilities. Prioritise vulnerabilities based on risk.
5. Analyse Risks
Analyse the identified threats and vulnerabilities to determine the likelihood and impact of potential incidents. This will help prioritise risks for treatment.
Challenge
Subjectivity in estimating likelihood and impact. Difficulty in quantifying risks, especially for non-financial impacts.
Solution
Use a consistent scoring system for likelihood and impact. Involve subject matter experts in the risk analysis process. Document the rationale behind risk assessments to ensure transparency and consistency.
6. Evaluate Risks
Evaluate the analysed risks against the organisation’s risk acceptance criteria to determine which risks require treatment.
Challenge
Defining appropriate risk acceptance criteria. Pressure to accept risks that are actually too high.
Solution
Define risk acceptance criteria based on business objectives, legal and regulatory requirements, and interested parties expectations. Ensure that risk acceptance decisions are documented and approved by management.
7. Document the Risk Assessment Results
Document the entire risk assessment process, including the identified assets, threats, vulnerabilities, risks, and their evaluations.
Challenge
Maintaining accurate and up-to-date documentation. Risk assessment reports can become lengthy and difficult to manage.
Solution
Use an ISO 27001 risk register or a dedicated risk management tool to record and manage risk assessment information. Regularly review and update the ISO 27001 risk register.
8. Communicate the Risk Assessment Results
Communicate the results of the risk assessment to relevant interested parties, including management, asset owners, and security personnel.
Challenge
Communicating complex technical information to non-technical audiences. Ensuring that interested parties understand their roles and responsibilities in managing risks.
Solution
Tailor communication to the audience. Use clear and concise language, avoiding technical jargon. Provide training and awareness sessions to explain risk assessment results and their implications.
9. Use the Risk Assessment Results to Inform Risk Treatment
Use the risk assessment results to develop and implement appropriate risk treatment plans. This may involve reducing, transferring, accepting, or avoiding risks.
Challenge
Developing cost-effective and effective risk treatment plans. Balancing security requirements with business needs.
Solution
Prioritise risk treatment based on the risk assessment results. Consider different risk treatment options and select the most appropriate one. Develop a risk treatment plan that includes timelines, responsibilities, and resources.
10. Regularly Review and Update the Risk Assessment
Risk assessments should be reviewed and updated regularly, especially when there are significant changes to the organisation’s information systems, threats, or vulnerabilities.
Challenge
Maintaining momentum and resources for ongoing risk assessment. Risk assessments can become outdated quickly in dynamic environments.
Solution
Establish a schedule for regular risk assessment reviews. Integrate risk assessment into other security management processes, such as change management and incident response. Use automation where possible to streamline the risk assessment process.
ISO 27001 Clause 8.2 Audit Checklist
How to audit ISO 27001 Clause 8.2 Information Security Risk AssessmentHow to audit
1. Review Risk Identification
Verify that a systematic process is used to identify information security risks relevant to the organisation’s information assets.
- Review risk registers, asset inventories, threat intelligence reports, and legal/regulatory requirements.
- Interview staff across different departments to identify potential risks.
2. Review of the Risk Assessment Methodology
Confirm that identified risks are analysed to determine their potential impact and likelihood.
- Examine the documented methodology.
- Interview personnel responsible for risk assessment to understand their understanding and application of the methodology.
- Compare the documented methodology against best practices and relevant standards.
3. Verification of Asset Identification
Confirm that all relevant information assets within the scope of the ISMS have been identified and documented.
- Review the asset register.
- Conduct walkthroughs of different departments to identify information assets not listed.
- Examine data flow diagrams and system documentation.
- Compare the asset register against other sources like configuration management databases.
4. Examination of Threat Identification
Assess the comprehensiveness of the threat identification process, ensuring both internal and external threats have been considered.
- Review threat intelligence reports, legal/regulatory updates, and industry best practices.
- Examine meeting minutes or documentation from threat modelling exercises.
- Interview security personnel about their understanding of current and emerging threats.
- Check for evidence of considering various threat actors (e.g., malicious insiders, cybercriminals, natural events).
5. Assessment of Vulnerability Identification
Verify that vulnerabilities have been identified through appropriate methods, such as vulnerability scanning, penetration testing, and security assessments.
- Review vulnerability scan reports and penetration testing results.
- Examine security assessment reports.
- Interview technical staff about vulnerability management processes.
- Check for evidence of regular vulnerability scanning and timely patching.
6. Evaluation of Risk Analysis Process
Evaluate the risk analysis process to ensure it is systematic, consistent, and considers both likelihood and impact.
- Review risk assessment reports.
- Examine the criteria used for determining likelihood and impact. Interview risk assessors to understand how they apply the criteria.
- Recalculate a sample of risks to verify the consistency of the process.
7. Review of Risk Evaluation and Acceptance
Verify that risks are evaluated against defined risk acceptance criteria and that risk acceptance decisions are documented and approved by management.
- Review risk treatment plans and risk acceptance documentation.
- Examine meeting minutes where risk acceptance decisions were made.
- Interview management about their understanding of the organisation’s risk appetite.
8. Scrutiny of Risk Assessment Documentation
Verify that the risk assessment process and its results are adequately documented in an ISO 27001 risk register or similar document.
- Examine the ISO 27001 risk register.
- Check for completeness, accuracy, and timeliness of the information.
- Verify that the risk register is regularly updated and reviewed.
9. Assessment of Communication of Risk Assessment Results
Confirm that the results of the risk assessment are communicated to relevant interested parties.
Review communication records, such as emails, reports, and presentations.
Interview interested parties about their understanding of the risks and their roles in managing them.
10. Evaluation of Link to Risk Treatment
Verify that the risk assessment results are used to inform the development and implementation of risk treatment plans.
- Review risk treatment plans and their link to the identified risks.
- Examine evidence of implementation of risk treatments.
- Interview security personnel about how risk assessment results are used to prioritise security activities.
11. Verification of Regular Review and Update
Confirm that the risk assessment is reviewed and updated regularly, especially when there are significant changes to the organisation’s information systems, threats, or vulnerabilities.
- Examine the revision history of the risk assessment documentation.
- Interview security personnel about the frequency of risk assessment reviews.
- Check for evidence of risk assessment updates following significant changes.
- Verify the process for triggering a risk assessment review.
12. Ensure Risk Register Maintenance
Ensure the risk register is kept up to date, reflecting changes in the organisation’s risk environment.
- Examine the risk register for completeness.
- Review records of risk assessments and updates.
- Interview risk owners to understand how they monitor risks.
13. Check the Competence of Risk Assessors
Ensure that individuals involved in risk assessments have the necessary skills and expertise.
- Review training records and qualifications of risk assessors.
- Interview risk assessors to assess their understanding of risk assessment techniques.
ISO 27001 Risk Register Template
ISO 27001 Risk Management Policy Template
Fast Track ISO 27001 Clause 8.2 Compliance with the ISO 27001 Toolkit
For ISO 27001 Clause 8.2 (Information security risk assessment), the requirement is to perform risk assessments at planned intervals or when significant changes occur. While Clause 6.1.2 defines the plan, Clause 8.2 is about the execution, identifying assets, threats, and vulnerabilities, and then documenting the results in a risk register to prove the process occurred.
While SaaS compliance platforms often try to sell you “automated risk workflows” or complex “threat scoring engines,” they cannot actually identify a specific business-critical asset tucked away in a specialized department or understand the nuance of your organization’s unique risk appetite, those are human governance and strategic tasks. The High Table ISO 27001 Toolkit is the logical choice because it provides the execution framework you need without a recurring subscription fee.
1. Ownership: You Own Your Risk Data Forever
SaaS platforms act as a middleman for your compliance evidence. If you define your risks and store your risk register inside their proprietary system, you are essentially renting your own organizational security history.
- The Toolkit Advantage: You receive the ISO 27001 Risk Register Template and Risk Management Procedure in fully editable Excel/Word formats. These files are yours forever. You maintain permanent ownership of your records (such as your specific history of asset threats), ensuring you are always ready for an audit without an ongoing “rental” fee.
2. Simplicity: Governance for Real-World Assessment
Clause 8.2 is about doing the work. You don’t need a complex new software interface to manage what a well-structured Excel risk register and a formal annual risk meeting already do perfectly.
- The Toolkit Advantage: Your team already knows where the “crown jewels” are. What they need is the governance layer to prove to an auditor that these assets are assessed systematically and consistently. The Toolkit provides pre-written “Risk Assessment Implementation Checklists” that formalize your existing work into an auditor-ready framework, without forcing your team to learn a new software platform just to log a threat.
3. Cost: A One-Off Fee vs. The “Risk Volume” Tax
Many compliance SaaS platforms charge more based on the number of “assets,” “risks,” or “assessment cycles” you track. For a clause that is fundamental to every part of your organization, these monthly costs can scale aggressively for very little added value.
- The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you assess 10 risks or 1,000, the cost of your Risk Assessment Documentation remains the same. You save your budget for actual risk mitigation (like better security tools) rather than an expensive compliance dashboard.
4. Freedom: No Vendor Lock-In for Your Security Strategy
SaaS tools often mandate specific ways to report on and monitor “risk assessments.” If their system doesn’t match your unique business model or specialized industry risk factors, the tool becomes a bottleneck to true security.
- The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Risk Procedures to match exactly how you operate, whether you use qualitative scoring or specialized hybrid methods. You maintain total freedom to evolve your risk strategy without being constrained by the technical limitations of a rented SaaS platform.
Summary: For Clause 8.2, the auditor wants to see that you have a formal risk register and evidence that assessments are performed at least annually or when things change. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Clause 8.2 FAQ
The ISO 27001 standard requires an organisation to perform risk assessment at planned intervals or when things change and keep evidence of the risk assessment.
As a bench mark you would perform a full risk assessment at least annually.
In addition, you do a risk assessment every time there is a significant change.
Risks are actually regularly assessed at the management review team meeting as part of the structured management review team agenda.
It is best practice that these meeting should occur every month or at least once every 3 months.
Planned intervals means that you have a plan to conduct a risk assessment at a certain time. An example of a planned interval would be to conduct a risk assessment at least annually.
You can download ISO 27001 Clause 8.2 Information Security Risk Assessment templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 8.2 Information Security Risk Assessment can be found in the ISO 27001 Toolkit.
Yes. A complete guide to the ISO 27001 Clause 8.2 Information Security Risk Assessment risk register can be found here.
A guide to the ISO 27001 risk management policy used by ISO 27001 Clause 8.2 is located here.
There are several ways to keep and how evidence of a risk assessment:
1. Hold an annual risk review meeting and minute the results
2. Maintain and use a risk register
3. Follow the structure agenda of the management review team meeting which covers risk assessment
4. Include risk assessment as part of your operational processes
At least annually and as significant changes occur.
Read the complete guide to ISO 27001 risk assessment here.
Further Reading
For more on planning for risk assessment be sure to read: ISO 27001 Clause 6.1.2 Information security risk assessment Guide
For more on planning for risk treatment be sure to read: ISO 27001 Clause 6.1.3 Information Security Risk Treatment Guide
