The ISO 27001 standard requires an organisation to perform risk assessments and to keep evidence of the results.
In this ultimate guide to ISO 27001:2022 Clause 8.2 Information Security Risk Assessment you will learn
- What ISO 27001 Clause 8.2 is
- How to implement it
Table of contents
What is ISO 27001 Clause 8.2?
ISO 27001 Clause 8.2 Information Security Risk Assessment clause is all about risk assessment.
Where we covered the planning in ISO 27001 Clause 6.1.2 here we look at the execution.
The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process and then execute it and make sure it gets done.
That risk assessment process has to maintain evidence of the risk assessment which is done by using a risk register.
What are the ISO 27001:2022 Changes to Clause 8.2?
Great news. There are no changes to ISO 27001 Clause 8.2 in the 2022 update.
Definition
The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
ISO 27001:2022 Clause 8.2 Information Security Risk Assessment
The organisation shall retain documented information of the results of the information security risk assessments.
What is an example of a planned interval for ISO 27001 Clause 8.2?
Planned intervals means that you have a plan to conduct a risk assessment at a certain time. An example of a planned interval would be to conduct a risk assessment at least annually.
How often should you perform a risk assessment?
As a bench mark you would perform a full risk assessment at least annually.
In addition, you do a risk assessment every time there is a significant change.
Risks are actually regularly assessed at the management review team meeting as part of the structured management review team agenda.
It is best practice that these meeting should occur every month or at least once every 3 months.
How to conduct an ISO 27001 Risk Assessment
For details on how to conduct an ISO 27001 risk assessment read The Complete Guide to ISO 27001 Risk Assessment that talks you through it step by step.
ISO 27001 Templates
ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 8.2.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
Watch the Training Video
FAQ
The ISO 27001 standard requires an organisation to perform risk assessment at planned intervals or when things change and keep evidence of the risk assessment.
You can download ISO 27001 Clause 8.2 Information Security Risk Assessment templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 8.2 Information Security Risk Assessment can be found in the ISO 27001 Toolkit.
Yes. A complete guide to the ISO 27001 Clause 8.2 Information Security Risk Assessment risk register can be found here.
A guide to the ISO 27001 risk management policy used by ISO 27001 Clause 8.2 is located here.
There are several ways to keep and how evidence of a risk assessment:
1. Hold an annual risk review meeting and minute the results
2. Maintain and use a risk register
3. Follow the structure agenda of the management review team meeting which covers risk assessment
4. Include risk assessment as part of your operational processes
At least annually and as significant changes occur.
Read the complete guide to ISO 27001 risk assessment here.
Further Reading
For more on planning for risk assessment be sure to read: ISO 27001 Clause 6.1.2 Information security risk assessment Guide
For more on planning for risk treatment be sure to read: ISO 27001 Clause 6.1.3 Information Security Risk Treatment Guide