This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Jump to navigation

ISO 27001 Risk Assessments

ISO 27001 is the international Standard that sets out the specifications of an Information Security Management System (ISMS), a best-practice approach to addressing information security that encompasses people, process and technology. The assessment and management of information security risks is at the core of the ISO 27001 approach.

Find out more about implementing ISO 27001 in your organisation >>

Take a free trial of vsRisk, the cyber security risk assessment tool >>

On this page

Risk management
Risk assessment standards
Risk assessment and management books
Risk assessment and management training
Risk assessment and management tools

Risk management

In today’s economy, the protection of critical information assets has become a fundamental board responsibility. Information security management (defined as ‘the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities’) is essential for any organisation, whether in the private or public sector.

The information security management Standard ISO 27001 explicitly requires compliant organisations to carry out risk assessments based on the agreed risk acceptance criteria that must be used when analysing risk. Risk assessments must produce consistent, valid and comparable results.

Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment in relation to identified risks and specific information assets. Risk assessment enables expenditure on controls to be balanced against the business harm likely to result from security failures.

Risk assessment standards

An ISO 27001-compliant ISMS developed and maintained according to risk acceptance/rejection criteria is an extremely useful management tool. As the ISO 27001 controls used are based on the outcome of a risk assessment and the risk acceptance level set by management, an ISMS offers the opportunity to define and monitor service levels internally – as well as in contractor/partner organisations – by demonstrating the extent to which there is effective control of the risks for which directors and senior management are accountable.

The risk assessment requirements of ISO 27001:2013 are less prescriptive than those of the older ISO 27001:2005, and are aligned with ISO 31000, but a number of other information security and risk assessment standards support ISO 27001:

  • ISO/IEC 27005:2011 – The international Standard that provides guidelines for information security risk management, ISO 27005 is designed to assist the satisfactory implementation of information security based on a risk management approach.
  • BS 7799-3:2006 – The British information security risk management Standard.
  • ISO/IEC 31000:2009 – The international Standard that provides principles and generic guidelines on risk management.
  • ISO/IEC 31010:2009 – The international Standard that provides guidance on the selection and application of systematic techniques for risk assessment.
  • NIST SP 800-30 and NIST SP 800-53.


Risk assessment and management books

To build your knowledge of risk assessment and risk management, IT Governance recommends the following books:

Visit our Information Security Risk Management Bookshop for more titles >>

Risk assessment and management training

In order to acquire the skills that will enable you to undertake an asset-based information security risk assessment based on the best-practice guidance outlined in ISO 27005 and meet the requirements of ISO 27001, we recommend the following training courses:

Risk assessment and management tools

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO 27001 without using a specialist information security risk assessment tool.

IT Governance recommends vsRisk, a professional information security risk assessment tool that has been specifically designed to carry out a risk assessment that meets the requirements of ISO 27001.

vsRisk is available in three formats:

vsRisk includes additional add-ons, such as:

vsRisk is straightforward and quick to use, and can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

The powerful features of vsRisk include:

  • Automates and delivers an ISO/IEC 27001-compliant information security risk assessment.
  • Simplifies and accelerates the risk assessment with an intuitive risk assessment process.
  • Provides a set of three different pre-populated controls:
    • ISO/IEC 27001:2005, ISO/IEC 27001:2013 and ISO/IEC 27032.
  • Assess confidentiality, integrity and availability (CIA) for business, legal and contractual requirements.
  • Produces a set of exportable, reusable and audit-ready ISO 27001-compliant documents.
  • Link and track controls back to specific documents to record implementation details.
  • Customisable assessment scales and risk assessment criteria.
  • Features a back-up and restore functionality.
  • Includes a detailed user manual to take you step-by-step through the process.

Navigation Screen - Click to zoom >>

vsAsset Monitor - Click to zoom >>

Assessment Screen - Click to zoom >>

User interface: Enables user to select the CIA and the BLC for the relevant asset

 Produces an ISO 27001-compliant Statement of Applicability

 Produces and ISO 27001-compliant Risk Treatment Plan

vsRisk has been designed to empower the user to comply with the requirements of ISO 27001 and assess, manage and reduce their total information risks.

Take a free 15 day trial of vsRisk today >>

ISO27001 Solutions


Information Security Risk Management for ISO27001/ISO27002

Buy now

+44 (0) 845 070 1750
live chat support software