How to create a risk assessment matrix

To comply with ISO 27001, the international standard for information security, you need to know how to perform a risk assessment. This process is at the core of your compliance measures, as it helps you identify the threats you face and the controls you need to implement.

To complete this process, you need a risk assessment matrix.

What is a risk assessment matrix?

Organisations can’t be expected to address every risk they face, so they need a way to prioritise them. A risk assessment matrix provides a simple way of doing that, quantifying the risk using a simple scoring system.

One axis represents the probability of a risk scenario occurring and the other represents the damage it will cause. In the middle, you have scores based on their combined totals.

How to use the risk assessment matrix

As you can see, the grid is colour-coded based on a series of thresholds: 1–3 is in green, 4–6 in yellow, and so on. Organisations can use these thresholds to help them determine their risk appetite, i.e. the level of risk they are willing to accept.

For example, an organisation might say that it will address anything with a score higher than 6, and accept anything lower as insignificant enough that it can be ignored. Where you set your threshold depends on the resources at your disposal. The lower your limit, the more risks you need to address and the more of ISO 27001’s controls you will need to implement.

There’s no universal system for determining the point at which the probability or damage of a risk moves from one number to the next. Organisations must decide that themselves, and document their rationale in their risk assessment methodology.

As a general guide, it’s worth remembering that the highest and lowest scores have to be indefinite (“anything that occurs more/less often than…”, “anything that causes more/less than x amount of damage…”). These should be the first two thresholds that you set, because they will have a big effect on how precise your scoring mechanism is and your risk appetite.

The higher your maximum value is, the lower the chances are of a risk scoring top marks. The reverse is true of your minimum value.

Need help documenting your risk assessment process?

IT Governance’s ISO 27001 ISMS Documentation Toolkit includes templates of every document you need to comply with the Standard, including comprehensive coverage of the risk assessment process. This toolkit makes it easy to document your:

  • Risk assessment procedure;
  • Risk management framework; and
  • Risk treatment plan.

Designed and developed by expert ISO 27001 practitioners, and enhanced by more than ten years of customer feedback and continual improvement, our ISO 27001 toolkit provides the guidance and tools you need for a hassle-free compliance process.

Find out more >>