Risk Management

    ISO 27001 Risk Assessment Template: Download + Complete Guide

    A risk assessment is the backbone of your ISO 27001 ISMS. This guide walks you through the complete methodology - from asset identification to risk scoring to treatment planning - with a professional template to get started.

    ISO27001KIT|April 8, 2026|14 min read
    ISO 27001 Risk Assessment Template: Download + Complete Guide

    Why the Risk Assessment Is the Most Important Part of ISO 27001

    If there's one thing that can make or break your ISO 27001 certification, it's the risk assessment. Clauses 6.1.2 and 8.2 of the standard explicitly require organizations to define and apply a risk assessment process, and auditors spend more time reviewing this area than almost any other.

    A weak risk assessment leads to poorly justified controls, gaps in your Statement of Applicability, and treatment plans that don't address real threats. A strong one creates a defensible, evidence-based foundation for your entire ISMS.

    This guide walks you through the complete risk assessment process, explains how to score and prioritize risks, and shows you how to document everything in a format auditors expect to see.

    What ISO 27001 Requires for Risk Assessment

    Clause 6.1.2 - Information Security Risk Assessment

    The standard requires your organization to:

    1. Establish and maintain risk assessment criteria - including risk acceptance criteria and criteria for performing assessments
    2. Ensure repeated assessments produce consistent, valid, comparable results
    3. Identify risks - identify the risks associated with the loss of confidentiality, integrity, and availability of information
    4. Analyze risks - assess the realistic likelihood and potential impact of each risk
    5. Evaluate risks - compare risk levels against your criteria and prioritize for treatment

    Clause 8.2 - Risk Assessment Execution

    You must perform risk assessments at planned intervals or when significant changes occur, and retain documented evidence of the results.

    Step-by-Step Risk Assessment Methodology

    Step 1: Define Your Risk Criteria

    Before identifying any risks, establish your scoring framework. This includes:

    Likelihood Scale (1-5):

    LevelLabelDescription
    1RareLess than 5% probability in the next 12 months
    2Unlikely5-20% probability
    3Possible20-50% probability
    4Likely50-80% probability
    5Almost CertainGreater than 80% probability

    Impact Scale (1-5):

    LevelLabelFinancial ImpactOperational Impact
    1NegligibleUnder $10,000Minor disruption, recovered in hours
    2Minor$10,000 - $50,000Some process disruption, recovered in days
    3Moderate$50,000 - $250,000Significant disruption, weeks to recover
    4Major$250,000 - $1MSevere disruption, months to recover
    5CatastrophicOver $1MBusiness-threatening, may not recover

    Risk Score Calculation: Risk Score = Likelihood x Impact (range: 1-25)

    Risk Appetite Thresholds:

    • Low (1-4): Accept - monitor during periodic reviews
    • Medium (5-9): Treat - implement controls within 6 months
    • High (10-15): Treat urgently - implement controls within 3 months
    • Critical (16-25): Escalate - immediate management attention required

    Step 2: Identify Your Information Assets

    You cannot assess risks without knowing what you're protecting. Create an inventory of information assets including:

    • Digital assets: databases, file servers, cloud storage, SaaS applications
    • Physical assets: servers, network equipment, laptops, mobile devices
    • People: key personnel, contractors, third-party administrators
    • Processes: business processes that handle sensitive information
    • Intangible assets: intellectual property, reputation, customer trust

    Use the Asset Inventory Tool to build a structured inventory with confidentiality, integrity, and availability ratings for each asset.

    Step 3: Identify Threats and Vulnerabilities

    For each asset (or group of related assets), identify:

    • Threats: what could go wrong? (ransomware, data breach, insider threat, natural disaster, supply chain compromise)
    • Vulnerabilities: what weaknesses could be exploited? (unpatched systems, weak passwords, lack of encryption, no backup testing, inadequate training)

    A useful framework is the threat-vulnerability-asset triad: each risk should link a specific threat exploiting a specific vulnerability affecting a specific asset.

    Step 4: Assess Inherent Risk

    For each identified risk, score the inherent risk - the risk level before any controls are applied:

    • Assign a likelihood score (1-5)
    • Assign an impact score (1-5)
    • Calculate the inherent risk score (likelihood x impact)

    Be realistic and evidence-based. Common mistakes include:

    • Scoring every risk as "unlikely" to minimize the register
    • Inflating impact scores to justify existing controls
    • Using inconsistent criteria across different risk assessors

    Step 5: Evaluate Existing Controls

    Document what controls are already in place for each risk and assess their effectiveness:

    • Fully effective: Control consistently prevents or detects the risk
    • Partially effective: Control reduces but doesn't fully address the risk
    • Ineffective: Control exists but provides minimal real protection

    Step 6: Calculate Residual Risk

    After accounting for existing controls, calculate the residual risk - the remaining risk level:

    Residual Risk = Inherent Risk x (1 - Control Effectiveness %)

    For example, an inherent risk of 20 with a control that is 60% effective gives a residual risk of 8.

    Step 7: Decide on Risk Treatment

    For each risk above your acceptance threshold, choose a treatment option:

    • Mitigate: Implement additional controls to reduce likelihood or impact
    • Transfer: Share the risk through insurance or outsourcing
    • Avoid: Change business processes to eliminate the risk entirely
    • Accept: Formally accept the residual risk with management approval

    Document your treatment decision, the planned actions, the responsible owner, and the target completion date.

    What Your Risk Assessment Template Should Include

    A professional risk assessment template needs these fields for each risk entry:

    FieldPurpose
    Risk IDUnique identifier for tracking
    Risk TitleClear, concise description
    AssetThe information asset affected
    ThreatThe threat scenario
    VulnerabilityThe exploitable weakness
    Inherent LikelihoodScore before controls (1-5)
    Inherent ImpactScore before controls (1-5)
    Inherent Risk ScoreCalculated (L x I)
    Existing ControlsWhat's already in place
    Control EffectivenessHow well controls work
    Residual LikelihoodScore after controls
    Residual ImpactScore after controls
    Residual Risk ScoreCalculated (L x I)
    Treatment OptionMitigate / Transfer / Avoid / Accept
    Risk OwnerPerson accountable
    StatusOpen / In Treatment / Closed

    Common Risk Assessment Mistakes

    Mistake 1: Treating It as a One-Time Exercise

    ISO 27001 requires periodic reassessment (Clause 8.2). Your risk assessment is a living document that should be reviewed at least annually and whenever significant changes occur.

    Mistake 2: Using Generic Risk Lists

    Copying a generic list of IT risks from the internet does not constitute a risk assessment. Your risks must be specific to your organization's context, assets, and threat landscape.

    Mistake 3: No Connection Between Risks and Controls

    Every applicable control in your SoA should trace back to one or more risks in your register. If you can't explain why a control is implemented, your SoA justification is weak.

    Mistake 4: Inconsistent Scoring

    If different team members score the same risk differently, your methodology needs calibration. Run a scoring workshop to align on criteria before the full assessment.

    Using a Dedicated Risk Assessment Tool

    While a spreadsheet template gets you started, a dedicated tool provides significant advantages for ongoing risk management:

    • Automatic risk scoring based on your defined criteria
    • Asset-threat-vulnerability linking with referential integrity
    • Control mapping to connect risks with your SoA
    • Treatment plan tracking with progress monitoring
    • Audit trail documenting every change for certification evidence

    The Risk Assessment Tool on ISO27001KIT lets you build a complete risk register with automatic scoring, and the Risk Management platform provides ongoing risk lifecycle management with dashboards, audit trails, and reporting.

    Download the Risk Assessment Template

    The ISO 27001 Document Pack includes a professionally formatted Risk Register Template in Excel format with:

    • Pre-built likelihood and impact scales
    • Automatic risk score calculation
    • Conditional formatting for risk levels
    • Treatment tracking columns
    • Dashboard summary sheet

    You can also preview the template as a watermarked PDF before purchasing.

    Next Steps

    1. Start with your asset inventory using the Asset Inventory tool
    2. Run your risk assessment with the Risk Assessment tool
    3. Generate your Statement of Applicability with the SoA Generator
    4. Download the full document pack from the Documents page for your complete ISMS foundation
    Tags:
    iso 27001
    risk assessment
    risk register
    template
    methodology

    Found this article helpful?

    Share it with your colleagues.