How to write an ISO 27001-compliant risk assessment procedure

As part of your ISO 27001 certification project, your organisation will need to prove its compliance with appropriate documentation.

ISO 27001 says that you must document your information security risk assessment process.

Key elements of the ISO 27001 risk assessment procedure

Clause 6.1.2 of the Standard states that organisations must “define and apply” a risk assessment process.

An information security risk assessment is a formal, top management-driven process and sits at the core of an ISO 27001 information security management system (ISMS).

There are five simple steps that you should take to conduct a successful risk assessment:

  1. Establish a risk management framework
  2. Identify risks
  3. Analyse risks
  4. Evaluate risks
  5. Select risk treatment options

The risk assessment process determines the controls that have to be deployed in your ISMS. It leads to the Statement of Applicability, which identifies the controls that you are deploying in light of your risk assessment process.

Our bestselling book, Nine Steps to Success – An ISO 27001 Implementation Overview, provides more information on the topic of risk management.

Creating an ISO 27001 risk assessment procedure template

An effective ISO 27001 risk assessment procedure needs to reflect your organisation’s view on risk management and must produce “consistent, valid and comparable results”.

The risk assessment procedure should be detailed and describe who is responsible for doing what, when and in what order.

Below is an example of what a risk assessment procedure might look like, setting out the scope of the procedure, responsibilities, risks and controls.

ISO 27001 Risk Assessment Procedure Template example

Figure 1 Example of the risk assessment procedure template included in the ISO 27001 ISMS Documentation Toolkit

Developed by expert ISO 27001 practitioners, and enhanced by more than ten years of customer feedback and continual improvement, the ISO 27001 ISMS Documentation Toolkit contains customisable documentation templates, including a risk assessment procedure template (above), for you to easily apply to your organisation’s ISMS.

Using the toolkit can help speed up what is often a time-consuming task in your ISO 27001 project.

The ISO 27001 ISMS Documentation Toolkit includes:

  • A complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully ISO 27001-compliant;
  • Helpful dashboards and gap analysis tools to ensure your ISMS meets all of the requirements of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

View the full contents of the toolkit >>

Find out how the documents and project tools can help you with your ISO 27001 project >>