ISO 270018 min read

ISO 27001 Risk Assessment: Complete Process Guide

Risk assessment is at the heart of ISO 27001. It drives your control selection and shapes your entire ISMS. This guide walks you through the complete risk assessment process.

Key Takeaways

Point Summary
Required by Clauses 6.1.2 (define process), 8.2 (perform at intervals), 8.3 (implement treatment)
4-step process Establish Context → Risk Identification → Risk Analysis → Risk Evaluation
Treatment options Modify (implement controls), Accept, Avoid, or Share (transfer)
Outputs Risk register, risk treatment plan, Statement of Applicability
Frequency Initial assessment + annual reviews + when significant changes occur

Quick Answer: Risk assessment is mandatory for ISO 27001. Identify information assets, threats, and vulnerabilities, then assess likelihood and impact. Choose treatment options (modify/accept/avoid/share) and document in your risk register and Statement of Applicability.

Why Risk Assessment Matters

ISO 27001 Requirements

Risk assessment isn't optional. It's a core requirement:

Clause Requirement
6.1.2 Define and apply a risk assessment process
8.2 Perform risk assessments at planned intervals
8.3 Implement risk treatment plan

Business Value

Beyond compliance, risk assessment provides:

Value Description
Informed decisions Know where to invest in security
Resource prioritization Focus on what matters most
Management buy-in Justify security investments
Audit evidence Demonstrate systematic approach

Risk Assessment Framework

Overview

ISO 27001 Risk Assessment Framework:

1. Establish Context:

  • Define scope and criteria
  • Set risk acceptance thresholds

2. Risk Identification:

  • Identify assets
  • Identify threats
  • Identify vulnerabilities
  • Identify consequences

3. Risk Analysis:

  • Assess likelihood
  • Assess impact
  • Calculate risk level

4. Risk Evaluation:

  • Compare against criteria
  • Prioritize risks
  • Determine treatment need

5. Risk Treatment:

  • Select treatment option
  • Choose controls
  • Document in SoA

Step 1: Establish Context

Define Scope

Before assessing risks, establish boundaries:

Question Answer Needed
What systems are included? List of in-scope systems
What data is covered? Data types and classification
What locations? Geographic scope
What processes? Business processes

Set Risk Criteria

Likelihood Scale (Example):

Level Rating Description
1 Rare Less than once every 5 years
2 Unlikely Once every 2-5 years
3 Possible Once per year
4 Likely Several times per year
5 Almost Certain Monthly or more

Impact Scale (Example):

Level Rating Financial Operational Reputational
1 Negligible <$10K Minutes Minimal
2 Minor $10K-$50K Hours Limited
3 Moderate $50K-$250K Days Moderate
4 Major $250K-$1M Weeks Significant
5 Severe >$1M Months Severe

Risk Acceptance Threshold:

Risk Level Acceptance
Low (1-4) Generally acceptable
Medium (5-12) Management decision required
High (15-25) Not acceptable, must treat

Step 2: Risk Identification

Asset Identification

Identify what you're protecting:

Information Assets:

Category Examples
Customer data PII, payment info, usage data
Business data Financial records, contracts
Intellectual property Source code, algorithms
Operational data Logs, configurations

Supporting Assets:

Category Examples
Hardware Servers, laptops, network equipment
Software Applications, operating systems
Services Cloud services, SaaS tools
People Employees, contractors

Asset Register Template:

Asset ID Asset Name Type Owner Classification Location
A001 Customer database Data CTO Confidential AWS RDS
A002 Production servers Infrastructure DevOps Lead Internal AWS EC2
A003 Source code IP Engineering Lead Confidential GitHub

Threat Identification

Identify what could go wrong:

Threat Category Examples
Deliberate Hacking, malware, insider attack, theft
Accidental Misconfiguration, human error, data loss
Environmental Fire, flood, power failure
Technical System failure, software bugs

Common Threats for SaaS Companies:

Threat Target Likelihood
Phishing attack Employees High
Credential compromise User accounts High
Ransomware All systems Medium
Insider data theft Customer data Low
Cloud misconfiguration Infrastructure Medium
DDoS attack Application Medium
Supply chain attack Third-party software Medium

Vulnerability Identification

Identify weaknesses that threats could exploit:

Vulnerability Type Examples
Technical Unpatched systems, weak encryption, open ports
Process No access reviews, weak change management
People Lack of training, no background checks
Physical Inadequate access controls, no monitoring

Consequence Identification

Identify potential impacts:

Consequence Description
Confidentiality breach Unauthorized data disclosure
Integrity violation Data modification or corruption
Availability loss System downtime or data loss
Compliance violation Regulatory penalties
Reputation damage Customer trust loss
Financial loss Direct costs, lost revenue

Step 3: Risk Analysis

Risk Calculation

(Note: ISO/IEC 27001 does not prescribe a specific risk calculation formula; organizations must define and justify their approach. The following is a commonly used method.)

Risk Level = Likelihood × Impact

Risk Matrix:

Likelihood / Impact 1 2 3 4 5
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5

Risk Levels: Low (1-4), Medium (5-12), High (15-25)

Risk Analysis Example

Risk ID Threat Asset Likelihood Impact Risk Level
R001 Phishing attack Employee credentials 4 4 16 (High)
R002 Cloud misconfiguration Customer data 3 5 15 (High)
R003 Insider data theft Customer data 2 5 10 (Medium)
R004 DDoS attack Application availability 3 3 9 (Medium)
R005 Laptop theft Corporate data 3 2 6 (Medium)

Step 4: Risk Evaluation

Compare to Criteria

Risk Level Treatment Required?
High (15-25) Yes, mandatory treatment
Medium (5-12) Management decision
Low (1-4) Accept, monitor

Prioritize Risks

Rank risks for treatment based on:

  • Risk level (highest first)
  • Business impact
  • Treatment cost
  • Quick wins available

Priority Matrix:

Risk Level / Treatment Effort Low Effort High Effort
High Risk Priority 1 Priority 2
Low Risk Priority 3 Priority 4

Step 5: Risk Treatment

Treatment Options

Option Description When to Use
Modify Implement controls to reduce risk Most common option
Retain Retain risk as-is Risk within tolerance
Avoid Eliminate the activity Risk unacceptable
Share Transfer to third party Insurance, outsourcing

Control Selection

For each risk to be modified, select appropriate controls:

Risk Treatment Controls
Phishing attack Modify Security awareness training (6.3), MFA (8.5)
Cloud misconfiguration Modify Configuration management (8.9), Cloud security (5.23)
Insider data theft Modify Screening (6.1), Access control (5.15), Monitoring (8.16)
DDoS attack Share + Modify DDoS protection service, Redundancy (8.14)
Laptop theft Modify Encryption (8.24), MDM (8.1)

Residual Risk

After treatment, assess remaining risk:

Risk Treatment Effect:

Inherent Risk Controls Applied Residual Risk
16 MFA, Training 6
15 Config Mgmt 5
10 Access Control 4
9 DDoS Service 3
6 Encryption 2

Risk Register Template

Essential Fields

Field Purpose
Risk ID Unique identifier
Risk description What could happen
Asset affected What's at risk
Threat What could cause it
Vulnerability What weakness exists
Likelihood How likely (1-5)
Impact How severe (1-5)
Risk level Calculated score
Treatment decision Modify/Accept/Avoid/Share
Controls Selected mitigations
Risk owner Who's responsible
Residual risk Risk after treatment
Status Open/In progress/Closed

Sample Risk Register Entry

Sample Risk Register Entry:

Risk ID: R001

Description: Successful phishing attack leading to credential compromise

Asset: Employee credentials, corporate systems
Threat: Phishing/social engineering
Vulnerability: Insufficient security awareness

Inherent Risk Assessment:

  • Likelihood: 4 (Likely)
  • Impact: 4 (Major)
  • Risk Level: 16 (High)

Treatment: Modify

Controls:

  • 6.3 Security awareness training
  • 8.5 MFA on all systems
  • 8.7 Email security/anti-phishing

Residual Risk Assessment:

  • Likelihood: 2 (Unlikely)
  • Impact: 3 (Moderate - contained by MFA)
  • Residual Risk: 6 (Medium - Acceptable)

Risk Owner: CISO
Status: Controls implemented, monitoring
Review Date: Quarterly

Common Risk Assessment Mistakes

Mistake 1: Over-Complexity

Problem: 500+ risks, impossible to manage

Solution:

  • Focus on significant risks
  • Group similar risks
  • Use appropriate granularity
  • Target 30-75 key risks for most organizations

Mistake 2: Asset-Only Focus

Problem: Risk = "database gets hacked"

Solution:

  • Link threats to specific vulnerabilities
  • Consider threat actors and motivations
  • Make risks actionable

Mistake 3: Inconsistent Criteria

Problem: Different people rate same risk differently

Solution:

  • Clearly defined scales with examples
  • Calibration exercises
  • Consistent methodology

Mistake 4: Set and Forget

Problem: Risk register becomes outdated

Solution:

  • Regular reviews (quarterly minimum)
  • Update after incidents
  • Review after significant changes
  • Integrate into business processes

Mistake 5: Risk Assessment Theater

Problem: Going through motions without insight

Solution:

  • Focus on actionable findings
  • Connect to real business concerns
  • Use results for decisions
  • Report to management meaningfully

Risk Assessment for Auditors

What Auditors Look For

Requirement Evidence
Defined methodology Risk assessment procedure document
Consistent application Risk register following methodology
Appropriate criteria Defined scales, acceptance thresholds
Complete coverage All assets/threats considered
Regular updates Evidence of periodic review
Risk treatment decisions Documented rationale
Statement of Applicability Controls mapped to risks

Common Audit Findings

Finding Prevention
Methodology not documented Write procedure before starting
Criteria not defined Establish scales upfront
Risk register incomplete Systematic asset/threat identification
No evidence of review Document reviews, keep history
SoA not linked to risks Map controls to risks explicitly

The Bastion Approach

Streamlined Risk Assessment

Bastion simplifies risk assessment without sacrificing rigor:

Challenge Bastion Solution
Methodology development Pre-built, auditor-approved methodology
Asset identification Automated discovery from integrations
Threat identification Industry-specific threat library
Risk analysis Guided scoring with calibration
Control mapping Automatic control recommendations
Documentation Risk register with full audit trail

Expert Guidance

Your vCISO helps with:

  • Risk assessment facilitation
  • Consistent scoring across organization
  • Appropriate level of detail
  • Management reporting
  • Auditor preparation

Need help with your risk assessment? Talk to our team →

Sources

← PreviousHow Long Does ISO 27001 Take?Next →ISO 27001 Statement of Applicability (SoA): Complete Guide
Back to ISO 27001 guides