ISO 27001 Information Security Risk Assessment

In this article we lay bare ISO 27001 Clause 8.2 Information Security Risk Assessment. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification. We show you exactly what changed in the ISO 27001:2022 update. I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001 Clause 8.2

What is ISO 27001 Clause 8.2 Information Security Risk Assessment?

The ISO 27001 standard requires an organisation to perform risk assessments and to keep evidence of the results.

ISO 27001 Clause 8.2 Information Security Risk Assessment clause is all about risk assessment.

Where we covered the planning in ISO 27001 Clause 6.1.2 here we look at the execution.

The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process and then execute it and make sure it gets done.

That risk assessment process has to maintain evidence of the risk assessment which is done by using a risk register.

What are the ISO 27001:2022 Changes to Clause 8.2?

Great news. There are no changes to ISO 27001 Clause 8.2 in the 2022 update.

ISO 27001 Clause 8.2 Definition

The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
The organisation shall retain documented information of the results of the information security risk assessments.

ISO 27001 Clause 8.2 Information Security Risk Assessment

What is an example of a planned interval for ISO 27001 Clause 8.2?

Planned intervals means that you have a plan to conduct a risk assessment at a certain time. An example of a planned interval would be to conduct a risk assessment at least annually.

How often should you perform a risk assessment?

As a bench mark you would perform a full risk assessment at least annually.

In addition, you do a risk assessment every time there is a significant change.

Risks are actually regularly assessed at the management review team meeting as part of the structured management review team agenda.

It is best practice that these meeting should occur every month or at least once every 3 months.

How to conduct an ISO 27001 Risk Assessment

For details on how to conduct an ISO 27001 risk assessment read The Complete Guide to ISO 27001 Risk Assessment that talks you through it step by step.

ISO 27001 Clause 8.2 Templates

ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 8.2.

ISO 27001 Risk Register Template
ISO 27001 Risk Management Policy Template
ISO 27001 Risk Management Procedure Template

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s

ISO 27001 Toolkit

ISO 27001 Clause 8.2 FAQ

What is ISO 27001 Clause 8.2 Information Security Risk Assessment ?

The ISO 27001 standard requires an organisation to perform risk assessment at planned intervals or when things change and keep evidence of the risk assessment.

Where can I download ISO 27001 Clause 8.2 Information Security Risk Assessment?

You can download ISO 27001 Clause 8.2 Information Security Risk Assessment templates in the ISO 27001 Toolkit.

ISO 27001 Clause 8.2 Information Security Risk Assessment example?

An example of ISO 27001 Clause 8.2 Information Security Risk Assessment can be found in the ISO 27001 Toolkit.

Is there an ISO 27001 Clause 8.2 Information Security Risk Assessment risk register?

Yes. A complete guide to the ISO 27001 Clause 8.2 Information Security Risk Assessment risk register can be found here.

Is there a guide to the risk management policy used in ISO 27001 Clause 8.2?

A guide to the ISO 27001 risk management policy used by ISO 27001 Clause 8.2 is located here.

How do you keep evidence of a risk assessment?

There are several ways to keep and how evidence of a risk assessment:
1. Hold an annual risk review meeting and minute the results
2. Maintain and use a risk register
3. Follow the structure agenda of the management review team meeting which covers risk assessment
4. Include risk assessment as part of your operational processes

How often do you conduct a risk assessment?

At least annually and as significant changes occur.

How do you conduct an ISO 27001 risk assessment?

Read the complete guide to ISO 27001 risk assessment here.

Further Reading

For more on planning for risk assessment be sure to read: ISO 27001 Clause 6.1.2 Information security risk assessment Guide

For more on planning for risk treatment be sure to read: ISO 27001 Clause 6.1.3 Information Security Risk Treatment Guide