The complete guide to ISO 27001 risk assessment

Home / ISO 27001 Tutorials / The complete guide to ISO 27001 risk assessment

ISO 27001 Risk Assessment

ISO 27001 is a risk-based information security management system. In simple terms this means that the controls that you implement and the level that you implement them to, is based on the risk to your organisation. I like ISO 27001 for this reason. It is a very practical standard to implement.

Let us take a look at the risk assessment methodology as well as some practical templates you can download and start using straight away.



ISO 27001 Toolkit Business Edition

Downloadable ISO 27001 Risk Assessment Templates

Before we look at the risk assessment step by step guide lets consider some helpful templates. ISO 27001 risk assessment templates can fast track your ISO 27001 risk assessments as well as guide you on what needs to be done.

ISO27001 Risk Management Policy-Black
ISO27001 Risk Register-Green
ISO27001 Risk Management Procedure-Black

What is the difference between a risk-based system and a rule-based system?

ISO 27001 is a risk based management system. This is one of the main reasons that I like it. It wants you to consider the controls you have and the level of those controls based on the risk to your business. It is not a prescriptive list or set level that you must meet. So what is the difference between a risk based system and rule based system? Let’s take a look.

Risk Based

Organisation implements the controls it needs based on risk

Organisation may or may not implement controls based on risk

Organisation determines the level of control required based on risk

Organisation can choose not to implement controls based on risk

You can still pass if you do not have a control as long as you are managing the risk

Rule Based

Organisation is given a list of controls it must implement

Organisation must implement controls provided

Organisation is told the level of required control

Organisation has no choice other than to implement controls

If you do not have the control to the required level, you fail

Unlike that other standards that require you to have controls in place to a level that the standard dictates, a risk based system is a lot more forgiving and practical. Getting the risk assessment right therefore is critical from both an implementation perspective and an audit and certification perspective.

When do you conduct an ISO 27001 risk assessment?

1. When you start you ISO 27001 implementation

There are a few occasions on which an ISO 27001 risk assessment is going to need to be conducted. The first, clearly, is at the start of your ISO 27001 implementation. To start your journey you are going to want to know what risks you are trying to address and then implement the controls and rigour that addresses those risks. Why would you start and implementation of getting security guards if you don’t have any premises? An extreme example to be sure, but if we have no risk then we do not need the controls.

2. When things change

Change is a constant in any business. Risk assessment forms part of change management but is also just good practice. When things change you will asses the risk of the change itself but also whether the change effects any existing risks. Maybe it reduces existing risk, completely eliminates existing risk or just makes things a whole lot riskier.

3. At least annually

An ISO 27001 risk assessment really should be completed at least annually and recorded. It is a formal step but allows you to assess what, if anything has changed as well as what, if anything needs addressing. Budgets and resources may be required and it allows the effective planning and control.

How do you conduct an ISO 27001 risk assessment?

ISO 27001 Risk Assessment in 5 Simple Steps

Risk assessments can be daunting if you haven’t done them before. They are actually very straightforward. Lets take a look at the 5 steps to ISO 27001 risk assessment.

Time needed: 4 hours

How to conduct an ISO 27001 risk assessment

  1. Implement a risk management framework

    Implement a risk management framework for your organisation. A good risk management framework is ISO 31000. You will want a risk management policy, a risk management process and a risk register.

  2. Identify Risks

    Risks to information security can be identified by identifying the physical and information assets then running workshops with subject matter experts. Those experts can bring their knowledge and experience to bare to identify what could go wrong. Using the Annex A control list as a prompt you can do an assessment of where you are right now. Having a pre populated risk register can be a great kick start. The ongoing identification of risk will come via internal audits, external audits, incidents and corrective actions, dedicated risk assessments and the process of continual improvement.

  3. Analyse Risks

    Analyse risks based on the impact and likelihood of occurring. Give the risk a risk score. The risk score will be used as a guide to your risk treatment and risk treatment prioritisation.

  4. Evaluate Risks

    Using the risk score as a guide evaluate the risk as it applies to your organisation.

  5. Risk Treatment

    Each risk will have a risk treatment. Decide if you are going to accept the risk, reduce the risk, avoid the risk, transfer the risk. Risks are assigned a risk owner. Risk treatments are assigned a risk treatment owner and risk treatment date. Risks are reviewed regularly. Risks are discussed with management in a structured meeting that is minuted to record the risk treatment decision.

ISO 27001 Risk Assessment Methodology

A risk management framework, or ISO 27001 risk assessment methodology, is a requirement and the aspects of it are laid out in the ISO 27001 standard. To meet the requirements you could look to implement ISO 3001 Risk Management. We built our ISO 27001 Risk Templates to meet the requirements of this risk standard.

Who performs the ISO 27001 Risk Assessment?

Ideally someone experienced and knowledgable in information security should lead the risk assessment with representation from all aspects of the business involved. Senior management need to be involved in the process of the assessment as well as ultimately they will own the risks that are identified. The more representation you can have from across the business, the better.

Who is the risk assessment reported to?

The output of the ISO 27001 risk assessment goes first to the Management Review Team. The Management Review Team is the formal construct that has defined roles and responsibilities in the information security management system and is set up at the beginning of an ISO 27001 implementation. Part of the role is oversight and risk management and as a decision making and reporting body it is here that the risk assessments are first presented, actions agreed and outputs formally recorded.

The risk assessment will lead to risk treatment and the management review team will continue to oversee the risk treatment on an on going basis.

A report of the risk assessment is then shared with key stakeholders and senior managers and owners.

How is an ISO 27001 risk assessment recorded?

The record of the risk assessment meeting should be recoded in the minutes of the meeting. Then risks themselves are entered into and recorded in the risk register. The risk register is the main tool for recording and managing risk. It is possible to share just the risk register as long has it has a management dashboard as is included in our risk register template but if not then you should consider creating a summary management report. The summary management report with the risk register as an appendix is a great record of the assessment and a great way to communicate to all levels of the business as required.

ISO 27001 Risk Assessment FAQ

Why do an ISO 27001 risk assessment?

An ISO 27001 risk assessment helps organisations identify, analyse, and evaluate weaknesses in their information security processes. It allows them to implement effective plans to manage the risk. It allows them to prioritise the allocation of limited resources such as time and money.

Do I need to do a risk assessment for ISO 27001?

Yes, you need to do a risk assessment for ISO 27001. ISO 27001 is a risk-based management system and it is an essential component of the standard.

How do you do a risk assessment for ISO 27001?

1. Define your risk management framework.
2. Write your risk management policy.
3. Write your risk management process.
4. Create your risk register.
5. Identify your risks.
6. Analyse your risks.
7. Evaluate your risks.
8. Treat your risks.
9. Report and record your risk decisions.

Where can I get a risk assessment template?

A risk assessment template is available at High Table.

ISO 27001 Toolkit Business Edition

Do It Yourself ISO27001

Stop Spanking £10,000s on consultants and ISMS online-tools.