7 steps to a successful ISO 27001 risk assessment

Risk assessments are at the core of any organisation’s ISO 27001 compliance project.

They are essential for ensuring that your ISMS (information security management system) – which is the end-result of implementing the Standard – is relevant to your organisation’s needs.

What is an information security risk assessment?

An information security risk assessment is the process of identifying, resolving and preventing security problems.

Your organisation’s risk assessor will identify the risks that your organisation faces and conduct a risk assessment.

The risk assessment will often be asset based, whereby risks are assessed relative to your information assets. It will be conducted across the whole organisation.

ISO 27001 is explicit in requiring that a risk management process be used to review and confirm security controls in light of regulatory, legal and contractual obligations.

So, how should you get started?

How to conduct an ISO 27001 risk assessment

Conducting a risk assessment can be daunting, but we have simplified the process into seven steps:

1. Define your risk assessment methodology

ISO 27001 does not prescribe a specific risk assessment methodology. Choosing the correct methodology for your organisation is essential in order to define the rules by which you will perform the risk assessment. The methodology needs to address four issues: baseline security criteria, risk scale, risk appetite, and a scenario-based or asset-based risk assessment.

2. Compile a list of your information assets

If opting for an asset-based risk assessment, you should work from an existing list of information assets, which includes hard copies of information, electronic files, removable media, mobile devices and intangibles, such as intellectual property.

3. Identify threats and vulnerabilities

Identify threats and vulnerabilities that apply to each asset. For example, the threat could be ‘theft of mobile device’.

4. Qualify the extent of the risk

Assign impact and likelihood values of the risk occurring.

5. Mitigate the risks to reduce them to an agreed and acceptable level

ISO 27001 suggest four ways to treat risks: ‘Terminate’ the risk by eliminating it entirely, ‘treat’ the risk by applying security controls, ‘transfer’ the risk to a third party, or ‘tolerate’ the risk.

6. Compile risk reports

ISO 27001 requires your organisation to produce a set of reports for audit and certification purposes, the most important being the SoA (Statement of Applicability) and the RTP (risk treatment plan).

7. Review, monitor and audit

ISO 27001 requires your organisation to continually review, update and improve the ISMS to make sure it is working optimally and adjusts to the constantly changing threat environment.

Learn more about risk assessments

We provide a more detailed breakdown of these steps in our free green paper: Risk Assessment and ISO 27001. It also explains:

  • The relationship between ISO 27001 and ISO 31000, the international standard that describes best practices for risk management;
  • Things to avoid when performing a risk assessment;
  • The importance of risk assessments to the ISO 27001 Statement of Applicability; and
  • How to make your risk assessments as cost-effective as possible.

Those looking for hands-on help conducting a risk assessment should take a look at our risk assessment software, vsRisk™. It provides a simple and fast way to identify relevant threats, and delivers repeatable, consistent assessments year after year.

Its integrated risk, vulnerability and threat database eliminates the need to compile a list of potential risks, and the built-in control helps you comply with multiple frameworks.


A version of this blog was originally published on 19 September 2017.