This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Jump to navigation

ISO 27001 Risk Assessments

ISO 27001 is the international best practice standard for an Information Security Management System (ISMS). Conducting an information security risk assessment is at the core of Information Security Management.

Continue reading to find out more about existing risk assessment standards, resources and tools.

To take a trial of vsRisk, the cyber security risk assessment tool, click here.

On this page:

Risk Assessment Standards

An ISMS which is developed and based on risk acceptance / rejection criteria, and uses third party accredited certification to provide an independent verification of the level of assurance, is an extremely useful management tool. It offers the opportunity to define and monitor service levels internally as well as in contractor/partner organisations by demonstrating the extent to which there is effective control of those risks for which directors and senior management are accountable.

There are a number of other information security and risk assessment standards that support, or are similar to, ISO 27001 including:

  • ISO27005:2011 (The Information Security Risk Management Standard)
  • BS7799-3 (The British Risk Assessment Standard)
  • ISO 31000
  • NIST SP 800-30 and NIST SP 800-53

ISO 27005:2011

ISO 27005:2011 (ISO 27005) provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001. ISO 27005 is designed to assist the satisfactory implementation of information security based on a risk management approach.

Buy the ISO27005 Standard (hardcopy or download) here

Risk Management

In today’s information economy, the protection of information assets – ‘information security' - has become a fundamental board responsibility. Information security management (defined as ‘the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities’) is essential for any organisation in both the private and public sectors.

ISO 27001 is a specification that sets out the requirements for an Information Security Management System (ISMS). ISO 27001 explicitly requires the organisation to carry out a risk assessment, and says that risk assessment must be based on agreed risk acceptance criteria, (which are to be used when analysing risk) and that risk assessments must produce consistent, valid and comparable results.

Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment in relation to identified risks and specific information assets. Risk assessment enables expenditure on controls to be balanced against the business harm likely to result from security failures.

To build your knowledge of risk assessment and risk management, IT Governance recommends the following books as a sensible starting point:

In order to acquire the necessary skills that will enable you to undertake an asset-based information security risk assessment based on the best practice guidance as outlined in ISO 27005 and to meet the ISO 27001 requirements we recommend the following training courses:

Risk Assessment Tools

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few. IT Governance recommends vsRisk, the professional information security risk assessment tool which has been specifically designed to carry out a risk assessment that meets the ISO 27001 requirements.

vsRisk is available in the following three formats:

vsRisk includes additional add-ons, such as:

  • The ability to apply vsRisk to multiple ISMSs
  • The option to upgrade and add multiple risk assessors

vsRisk is straightforward and quick to use; it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project. 

One consultancy firm told us:

"Why would we want to use this with our clients when it is going to reduce the number of days we can bill them?"

If you want to reduce the number of days your consultants will bill you for, then look no further than vsRisk.

vsRisk helps you perform information security risk assessments quickly and easily

  • Automates and delivers an ISO/IEC 27001-compliant asset-based information security risk assessment;
  • Provides a set of 3 pre-populated control sets to choose from: ISO 27001:2013, ISO 27001:2005 or ISO 27032 (cyber security standard)
  • Includes a searchable and fully integrated ISO 27005-compliant threat and vulnerability database
  • Delivers a set of exportable and reusable ISO 27001-compliant reports, such as the Statement of Applicability, Risk Comments Report and Risk Treatment Plan
  • Customisable risk acceptance threshold and risk management scales
  • Easy to use and simple user interface

Navigation Screen - Click to zoom >>

vsAsset Monitor - Click to zoom >>

Assessment Screen - Click to zoom >>

User interface: Enables user to select the CIA and the BLC for the relevant asset

 Produces an ISO 27001-compliant Statement of Applicability

 Produces and ISO 27001-compliant Risk Treatment Plan

vsRisk has been designed with the user in mind, empowering the user to comply with the requirements of ISO 27001 and effectively assess, manage and reduce their total information risks.


Information Security Risk Management for ISO27001/ISO27002

Buy now

+44 (0) 845 070 1750
live chat support software