ISO 27001 Risk Assessment: A Practical Methodology for Non-Risk-Managers

April 25, 2024

The risk assessment is the engine of an ISO 27001 programme. Every other element of the ISMS, from the Statement of Applicability to the control implementation roadmap to the ongoing management review, depends on the risk assessment being done well. It is also the part of the programme that most organisations without a formal risk management background find most intimidating. The combination of free-form methodology requirements and consequential outputs leads many organisations to either overcomplicate the process or produce a risk register that looks thorough but does not reflect genuine analysis.

ISO 27001 does not prescribe a risk assessment methodology. It requires that the methodology is documented, applied consistently, produces comparable and reproducible results, and is appropriate to the organisation's context. That flexibility is useful, but it also means organisations need to make deliberate choices about how they will identify risks, assess their likelihood and impact, and determine how to treat them.

Defining the Methodology Before You Start

Before identifying any risks, document how the risk assessment will work. This includes: the scope (which assets, processes, and information are in scope for the assessment), the risk criteria (what constitutes acceptable risk, defined in terms of likelihood and impact scales), the assessment approach (whether you are assessing risks to information assets, using scenarios, or taking another approach), and the ownership model (who will be accountable for each risk). This methodology document does not need to be lengthy. It needs to be precise enough that a different person could apply it and produce consistent results.

The likelihood and impact scales should be defined before the assessment begins, not calibrated during it. A common approach is to use a three or five-point scale for each dimension, with clear definitions for each level. Likelihood might range from rare (less than once in five years) through to almost certain (likely to occur more than once per year). Impact might range from negligible (no material effect on operations or reputation) through to critical (significant financial loss, regulatory action, or reputational damage). Define these scales with reference to your organisation's context: what counts as critical impact for a startup is different from what counts as critical impact for a regulated financial institution.

Identifying Risks Without Getting Overwhelmed

Risk identification is the step where many organisations generate lists of 200-plus risks that become unmanageable and ultimately abandoned. A practical approach for organisations without a dedicated risk management function is to identify risks at the information asset or process level rather than at the individual threat level. Start by listing the information assets and processes within scope of the ISMS, then for each one identify the relevant threats (what could go wrong), the vulnerabilities that those threats could exploit (why it could go wrong), and the potential consequences (what the impact would be if it did).

A manageable risk register for a growth-stage technology company typically contains 30 to 60 risks, not 200. Risks that are essentially the same threat exploiting the same vulnerability with the same impact can be consolidated. Risks that are highly specific to a narrow technical scenario and carry low inherent risk can be noted briefly rather than documented at the same level of detail as high-priority items. The goal is a register that is genuinely used to drive control decisions, not a comprehensive catalogue that sits in a folder and is never reviewed.

Risk Treatment and the Link to Controls

Once risks are assessed and prioritised, each risk above the acceptable threshold needs a treatment decision. The four treatment options are treat (implement a control to reduce the likelihood or impact), tolerate (accept the risk because the cost of treatment exceeds the benefit), transfer (pass the risk to a third party, typically through insurance or contractual means), or terminate (cease the activity that gives rise to the risk). Most risks in an information security context will be treated or tolerated, with the treatment options linking directly to Annex A controls in the Statement of Applicability.

The connection between the risk register and the control environment is what makes the ISMS coherent. Each implemented control should be traceable to one or more risks it is addressing. Each risk above the tolerance threshold should be traceable to a control or a risk owner who has accepted it. When these connections are documented, the ISMS tells a clear story: here are the risks we identified, here is how we assessed them, here is what we decided to do about each one, and here is the evidence that we did it. That story is what auditors are looking for when they review the risk assessment outputs.

Keeping the Risk Register Live

A risk assessment conducted once and never updated is a finding in a surveillance audit. The risk register should be reviewed at each management review and updated whenever the business changes materially: a new product launch, a new cloud service provider, a change in the threat landscape, a significant expansion of the team, or entry into a new market. Risk review does not mean redoing the entire assessment each time. It means checking whether existing risk ratings are still valid and whether new risks need to be added.

Assign risk ownership explicitly. Each risk in the register should have a named owner who is responsible for monitoring it, ensuring treatment actions are progressing, and escalating it if circumstances change. Without named ownership, risk registers become historical documents rather than active management tools. We have helped organisations in sectors ranging from online learning to credit reporting build risk registers that remain useful past the certification audit, and the consistent factor in those that work is clear ownership combined with a regular review cadence built into the ISMS calendar.

To discuss a practical risk assessment approach for your ISO 27001 programme, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
GRC
Written by
Indra Gunawan
Head of Consulting
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?