In this ultimate guide I show you everything you need to know about the ISO27001 Risk Management Policy and exactly what you need to do to satisfy it to gain ISO27001 certification.

We will get to grips with what risk management is, understand why organisations need a Risk Management Policy, show you how to write one, and let you in on trade secret’s that’ll save you hours of time and effort, simply by using this ISO27001 Risk Management Policy Template.

I am Stuart Barker the ISO27001 Ninja and this is the ISO27001 Risk Management Policy.

ISO27001 and Risk Management

I like a risk based management approach to information security. It is a sensible approach to information security. It is a grown up approach. It allows the business to decide what controls to put in place and to what level.

Risk is all about the uncertainty that surrounds future events and the outcomes. We cannot plan for everything but we can have a policy and approach about how we deal with it.

What is ISO27001 Risk Management?

ISO270001 Risk management is about setting the best course of action to take for those elements of uncertainty.

Those known knowns, unknown unknowns, and known unknowns.

Not everything needs to be prevented but risk management wants you to acknowledge the risk and have taken a positive action to address it.

You could choose to accept the risk and do nothing, or to try to reduce the risk or to remove the risk entirely.

Risk management is about indemnifying and then making appropriate business decisions as to what to do about those risks.



What is the Risk Management Process?

In our approach to that uncertain future we are going to want to identify risk. To the best of our ability.

Then we are going assess that risk for what it means to us and what it could do to us.

Once we understand the risk we are going to act on it.

Doing nothing is an acceptable answer.

This is accepting risk.

We all accept a certain level of risk every day in our personal lives.

This is no different in business.

Some risks we are going to control and manage.

Where we have the resources to do so proportionate to the risk before us.

What is an ISO27001 Risk Management Policy?

The ISO27001 Risk Management Policy sets out the guidelines and framework for how you identify, manage and mitigate risks to your information security.

The policy addresses risks by ensuring that robust risk management processes are in place.

It is the foundation upon which ISO27001 is built.

ISO27001 Risk Management Policy In Depth

ISO27001 is a risk based management system rather than a rule base management system so the identification and appropriate management of risk is fundamental and key.

Some risks are acceptable to a business and so not all controls may be required and not all risks need to be fully treated.

In a rule based system you either have the control or you don’t, you pass or you fail.

ISO27001 takes a more grown up approach putting the company in control.

In the risk management policy we

  • define the risk appetite of the business
  • cover the identification of risk
  • set out how risks are assessed and evaluated
  • describe how risks are recorded
  • explain the risk register
  • document the treatment of risks.
  • describe risk reporting

It is a tool in our business arsenal and it forms part of the mandatory ISO27001 documents.

It gets everyone on the same page and gives us a standard approach to risk.

ISO27001 Risk Management Policy Template

The comprehensive ISO27001 risk management policy is designed to save you over 4 hours of work and give you an exclusive, industry best practice policy template that is pre written and ready to go.

With implementation guides you can tweak it in minutes.

ISO 27001 Risk Management Policy Template

What is the Purpose of the ISO27001 Risk Management Policy?

The purpose of the ISO27001 Risk Management Policy is to ensure risks to information security are identified, managed and addressed in a timely manner.

What is the ISO27001 Risk Management Policy Principle?

All information security risks are identified and managed based on robust risk management procedures and best practice.

ISO27001 Risk Management Policy Implementation Guide

This is the layout and content headers you want to include in your policy if you write it yourself.

  • Document Version Control
  • Document Contents Page
  • Purpose
  • Scope
  • Risk Management Policy
  • Principle
  • What is risk Management
  • Risk Appetite
  • Low Risk Appetite
  • Moderate Risk Appetite
  • Risk Identification and Assessment
  • Risk Register
  • Risk Reporting
  • Risk Review
  • Risk Treatment
  • Risk Acceptance
  • Risk Mitigation
  • Risk Evaluation
  • Policy Compliance
  • Compliance Measurement
  • Exceptions
  • Non-Compliance
  • Continual Improvement

The sensible approach would be to download the ISO27001 Risk Management Policy Template.

ISO27001 Requirements for Risk Management

The following clauses in ISO27001 cover risk management and what is required for ISO27001 certification

ISO27001 Clause 6.1 Risk Planning

ISO27001 Clause 6.1.1 Planning General is about planning for risk.

ISO27001 Clause 6.1.2 Information Security Risk Assessment

ISO27001 Clause 6.1.2 Information security risk assessment is about the planning for risk assessment.

ISO27001 Clause 6.1.3 Information Security Risk Treatment 

ISO27001 Clause 6.1.3 Information Security Risk Treatment is about the planning for risk treatment.

ISO27001 Clause 8.2 Information Security Risk Assessment

ISO27001 Clause 8.2 Information Security Risk Assessment is about execution and doing of risk assessment.

ISO27001 Clause 8.3 Information Security Risk Treatment 

ISO27001 Clause 8.3 Information Security Risk Treatment is about execution and doing of risk treatment.

ISO27001 Risk Management Policy FAQ

What is the purpose of the ISO27001 risk management policy?

The purpose of the ISO27001 risk management policy is to set out what the company does for information security risk management. It is not how the company does it. How the company does it is covered in the ISO27001 processes and process documents. Here we are setting out the ‘what’ and the organisations overall approach to key risk management concepts.

What is the scope of the ISO27001 risk management policy?

The scope of the ISO27001 risk management policy is risk and risk management as applied to information security and the confidentiality, integrity and availability of company owned, processed, stored and transmitted information.

What is the risk management principle?

Information security management for the company is based on appropriate and adequate risk and risk management.

What is ISO27001 risk management?

Risk can be defined as the threat or possibility that an action or event will adversely or beneficially affect an organisation’s ability to achieve its objectives.
Risk management can be defined as the systematic application of principles and approach, and a process by which the company identifies and assesses the risks attached to its activities and then plans and implements risk responses.

What is an ISO27001 low risk appetite example?
A low risk appetite means that you will do what ever you can to remove or reduce the risk. An example a low risk appetite could be

• Unauthorized access, use, or release of personally identifiable information or sensitive data.
• Noncompliance with technology laws, regulations, policies, or procedures.
• Lack of resiliency against cybersecurity threats.
We normally have a low risk appetite when it comes to the law, regulations or things that could cause harm.

What is an ISO27001 moderate risk appetite example?

A moderate risk appetite means that you will take reasonable steps to remove or a reduce a risk subject to factors such as the costs involved and the needs of the business. Moderate risk is about being proportionate and cost-effective and an example of a moderate risk appetite could be
• Alignment of enterprise information systems, data, and business practices.
• Ability to meet user demands and support a mobile workforce.
• Technology infrastructure and performance (e.g., stability, reliability, capability, capacity, and duplicative systems).
• Business resiliency planning and execution.

How are ISO27001 risks recorded and managed?

ISO27001 risks are recorded in, and managed via a ISO27001 risk register.

Who are ISO27001 risks reported to?

ISO27001 risks are reported to the Management Review Team and Senior Leadership.
ISO27001 risks are recorded, managed and tracked in the ISO27001 risk register.
The risk register is reviewed at the Management Review Team meeting.
Significant risks being risks identified as requiring the attention of senior management or risks with a score over 20 or risks classified as severe are reported to the senior management team and form part of the company enterprise risk management reporting.

What is an ISO27001 risk review?

An ISO27001 risk review is an assessment of the current risks and the identification of new risks.
The organisation must complete at least an annual risk review and record the outcome in risk review meeting minutes.
In addition risks are regularly reviewed and monitored at the Management Review Team meeting to ensure:
• Risk action progress
• Risk action effectiveness
• Management of residual risk

How do you evaluate ISO27001 risk?

You evaluate ISO27001 risk based on the impact if the risk materialises and the likelihood of that event occurring. You define an ISO27001 risk impact score and definition and you define an ISO27001 risk likelihood score and definition. These two scores are multiplied to create a risk score and the risk score creates your risk rating. Depending on the rating certain actions will be required.

What is the process for ISO27001 risk mitigation?

Where a risk is to be mitigated
• A plan of action is approved by the relevant departmental manger and/or the Management Review Team and/or Senior Management.
• Responsibility for implementing and managing the plan is allocated.
• Risks are reported and reviewed at the Management Review Team meeting and recorded in the Risk Register.

What is the process and criteria for ISO27001 risk acceptance?

The decision to accept risks is taken by the relevant departmental manager and or senior management.
The criteria for accepting risk is based on
• The risk is categorised as low and it is not cost effective to treat the risk.
• A business or commercial opportunity exists that outweighs the threat and impact.
• A risk treatment does not exist
• The impact of the risk occurring is acceptable to the company

Where can I get an ISO27001 risk management policy?

An ISO27001 risk management policy can be found at High Table: The ISO27001 Company.

How to write a risk management plan?

You first decide the risk appetite of the business. Then you write a risk management policy. Next you create a risk register. With these tools in place conduct your first risk identification meeting and identify your business risks. Write them down in the risk register. Share them with senior management. Manage the risks through the risk management process.

What is a risk management policy?

A risk management policy is a document that describes what you do in relation to risk management. It includes your risk appetite which is a measure of how willing you are to to business risk and what measures you will take to address them.

Why is an ISO27001 risk management plan important?

An ISO27001 risk management plan lets everyone in the business know the approach to risks and how they are managed. It sets out a standard approach and allows for the identification, quantification and management of business risk.

ISO27001 risk policy PDF example?

For an ISO27001 risk management policy template PDF you can view Sample ISO27001 Risk Management Policy

How do you measure ISO27001 risk impact?

The evaluation of ISO27001 risk impact is considered based on the impact to
• Compliance and the Law
• Reputation
• Customers
• Business Goals and Objectives
• Financial Performance