Why the Risk Assessment Is the Most Important Part of ISO 27001
If there's one thing that can make or break your ISO 27001 certification, it's the risk assessment. Clauses 6.1.2 and 8.2 of the standard explicitly require organizations to define and apply a risk assessment process, and auditors spend more time reviewing this area than almost any other.
A weak risk assessment leads to poorly justified controls, gaps in your Statement of Applicability, and treatment plans that don't address real threats. A strong one creates a defensible, evidence-based foundation for your entire ISMS.
This guide walks you through the complete risk assessment process, explains how to score and prioritize risks, and shows you how to document everything in a format auditors expect to see.
What ISO 27001 Requires for Risk Assessment
Clause 6.1.2 - Information Security Risk Assessment
The standard requires your organization to:
- Establish and maintain risk assessment criteria - including risk acceptance criteria and criteria for performing assessments
- Ensure repeated assessments produce consistent, valid, comparable results
- Identify risks - identify the risks associated with the loss of confidentiality, integrity, and availability of information
- Analyze risks - assess the realistic likelihood and potential impact of each risk
- Evaluate risks - compare risk levels against your criteria and prioritize for treatment
Clause 8.2 - Risk Assessment Execution
You must perform risk assessments at planned intervals or when significant changes occur, and retain documented evidence of the results.
Step-by-Step Risk Assessment Methodology
Step 1: Define Your Risk Criteria
Before identifying any risks, establish your scoring framework. This includes:
Likelihood Scale (1-5):
| Level | Label | Description |
|---|---|---|
| 1 | Rare | Less than 5% probability in the next 12 months |
| 2 | Unlikely | 5-20% probability |
| 3 | Possible | 20-50% probability |
| 4 | Likely | 50-80% probability |
| 5 | Almost Certain | Greater than 80% probability |
Impact Scale (1-5):
| Level | Label | Financial Impact | Operational Impact |
|---|---|---|---|
| 1 | Negligible | Under $10,000 | Minor disruption, recovered in hours |
| 2 | Minor | $10,000 - $50,000 | Some process disruption, recovered in days |
| 3 | Moderate | $50,000 - $250,000 | Significant disruption, weeks to recover |
| 4 | Major | $250,000 - $1M | Severe disruption, months to recover |
| 5 | Catastrophic | Over $1M | Business-threatening, may not recover |
Risk Score Calculation: Risk Score = Likelihood x Impact (range: 1-25)
Risk Appetite Thresholds:
- Low (1-4): Accept - monitor during periodic reviews
- Medium (5-9): Treat - implement controls within 6 months
- High (10-15): Treat urgently - implement controls within 3 months
- Critical (16-25): Escalate - immediate management attention required
Step 2: Identify Your Information Assets
You cannot assess risks without knowing what you're protecting. Create an inventory of information assets including:
- Digital assets: databases, file servers, cloud storage, SaaS applications
- Physical assets: servers, network equipment, laptops, mobile devices
- People: key personnel, contractors, third-party administrators
- Processes: business processes that handle sensitive information
- Intangible assets: intellectual property, reputation, customer trust
Use the Asset Inventory Tool to build a structured inventory with confidentiality, integrity, and availability ratings for each asset.
Step 3: Identify Threats and Vulnerabilities
For each asset (or group of related assets), identify:
- Threats: what could go wrong? (ransomware, data breach, insider threat, natural disaster, supply chain compromise)
- Vulnerabilities: what weaknesses could be exploited? (unpatched systems, weak passwords, lack of encryption, no backup testing, inadequate training)
A useful framework is the threat-vulnerability-asset triad: each risk should link a specific threat exploiting a specific vulnerability affecting a specific asset.
Step 4: Assess Inherent Risk
For each identified risk, score the inherent risk - the risk level before any controls are applied:
- Assign a likelihood score (1-5)
- Assign an impact score (1-5)
- Calculate the inherent risk score (likelihood x impact)
Be realistic and evidence-based. Common mistakes include:
- Scoring every risk as "unlikely" to minimize the register
- Inflating impact scores to justify existing controls
- Using inconsistent criteria across different risk assessors
Step 5: Evaluate Existing Controls
Document what controls are already in place for each risk and assess their effectiveness:
- Fully effective: Control consistently prevents or detects the risk
- Partially effective: Control reduces but doesn't fully address the risk
- Ineffective: Control exists but provides minimal real protection
Step 6: Calculate Residual Risk
After accounting for existing controls, calculate the residual risk - the remaining risk level:
Residual Risk = Inherent Risk x (1 - Control Effectiveness %)
For example, an inherent risk of 20 with a control that is 60% effective gives a residual risk of 8.
Step 7: Decide on Risk Treatment
For each risk above your acceptance threshold, choose a treatment option:
- Mitigate: Implement additional controls to reduce likelihood or impact
- Transfer: Share the risk through insurance or outsourcing
- Avoid: Change business processes to eliminate the risk entirely
- Accept: Formally accept the residual risk with management approval
Document your treatment decision, the planned actions, the responsible owner, and the target completion date.
What Your Risk Assessment Template Should Include
A professional risk assessment template needs these fields for each risk entry:
| Field | Purpose |
|---|---|
| Risk ID | Unique identifier for tracking |
| Risk Title | Clear, concise description |
| Asset | The information asset affected |
| Threat | The threat scenario |
| Vulnerability | The exploitable weakness |
| Inherent Likelihood | Score before controls (1-5) |
| Inherent Impact | Score before controls (1-5) |
| Inherent Risk Score | Calculated (L x I) |
| Existing Controls | What's already in place |
| Control Effectiveness | How well controls work |
| Residual Likelihood | Score after controls |
| Residual Impact | Score after controls |
| Residual Risk Score | Calculated (L x I) |
| Treatment Option | Mitigate / Transfer / Avoid / Accept |
| Risk Owner | Person accountable |
| Status | Open / In Treatment / Closed |
Common Risk Assessment Mistakes
Mistake 1: Treating It as a One-Time Exercise
ISO 27001 requires periodic reassessment (Clause 8.2). Your risk assessment is a living document that should be reviewed at least annually and whenever significant changes occur.
Mistake 2: Using Generic Risk Lists
Copying a generic list of IT risks from the internet does not constitute a risk assessment. Your risks must be specific to your organization's context, assets, and threat landscape.
Mistake 3: No Connection Between Risks and Controls
Every applicable control in your SoA should trace back to one or more risks in your register. If you can't explain why a control is implemented, your SoA justification is weak.
Mistake 4: Inconsistent Scoring
If different team members score the same risk differently, your methodology needs calibration. Run a scoring workshop to align on criteria before the full assessment.
Using a Dedicated Risk Assessment Tool
While a spreadsheet template gets you started, a dedicated tool provides significant advantages for ongoing risk management:
- Automatic risk scoring based on your defined criteria
- Asset-threat-vulnerability linking with referential integrity
- Control mapping to connect risks with your SoA
- Treatment plan tracking with progress monitoring
- Audit trail documenting every change for certification evidence
The Risk Assessment Tool on ISO27001KIT lets you build a complete risk register with automatic scoring, and the Risk Management platform provides ongoing risk lifecycle management with dashboards, audit trails, and reporting.
Download the Risk Assessment Template
The ISO 27001 Document Pack includes a professionally formatted Risk Register Template in Excel format with:
- Pre-built likelihood and impact scales
- Automatic risk score calculation
- Conditional formatting for risk levels
- Treatment tracking columns
- Dashboard summary sheet
You can also preview the template as a watermarked PDF before purchasing.
Next Steps
- Start with your asset inventory using the Asset Inventory tool
- Run your risk assessment with the Risk Assessment tool
- Generate your Statement of Applicability with the SoA Generator
- Download the full document pack from the Documents page for your complete ISMS foundation
Found this article helpful?
Share it with your colleagues.
