This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

ISO 27001 Risk Assessments

ISO 27001 is the international Standard that sets out the specifications of an Information Security Management System (ISMS), a best-practice approach to addressing information security that encompasses people, process and technology. The assessment and management of information security risks is at the core of the ISO 27001 approach.

Find out more about implementing ISO 27001 in your organisation >>

On this page

Risk management
Risk assessment standards
Risk assessment and management books
Risk assessment and management training
Risk assessment and management tools

Risk management

The protection of critical information assets is now a fundamental board responsibility. Information security management is essential for any organisation, whether in the private or public sector. It is defined as “the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk and maximise return on investments and business opportunities”.

The information security management standard ISO 27001 explicitly requires compliant organisations to carry out risk assessments based on agreed risk acceptance criteria that must be used when analysing risk. Risk assessments must produce consistent, valid and comparable results.

Information security management decisions are entirely driven by specific decisions, which are made as an outcome of a risk assessment where risks and specific information assets are identified. Risk assessment enables expenditure on controls to be balanced against the business harm likely to result from security failures.

Risk assessment standards

An ISO 27001-compliant ISMS, which is developed and maintained according to risk acceptance/rejection criteria, is an extremely useful management tool. The resulting ISO 27001 controls are based on the outcome of a risk assessment and the risk acceptance level set by management. Therefore, an ISMS offers the opportunity to define and monitor service levels internally – as well as in contractor/partner organisations – by demonstrating the extent to which there is effective control of the risks for which directors and senior management are accountable.

The risk assessment requirements of ISO 27001:2013 are less prescriptive than those of the older ISO 27001:2005 and are aligned with ISO 31000. However, a number of other information security and risk assessment standards support ISO 27001:

  • ISO/IEC 27005:2011
    The international standard that provides guidelines for information security risk management, ISO 27005 is designed to assist the satisfactory implementation of information security based on a risk management approach.
  • ISO/IEC 31000:2009
    The international standard that provides guidance on the selection and application of systematic techniques for risk assessment.
  • ISO/IEC 31010:2009 – The international Standard that provides guidance on the selection and application of systematic techniques for risk assessment.
  • NIST SP 800-30 and NIST SP 800-53


Risk assessment and management books

To build your knowledge of risk assessment and risk management, IT Governance recommends the following books:

Visit our information security risk management bookshop for more titles >>

Risk assessment and management training

To acquire the skills to undertake an asset-based information security risk assessment based on the best-practice guidance outlined in ISO 27005 and meet the requirements of ISO 27001, we recommend the following training courses:

Risk assessment and management tools

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO 27001 without using a specialist information security risk assessment tool.

IT Governance recommends vsRisk, a professional information security risk assessment tool that has been specifically designed to carry out a risk assessment to meet the requirements of ISO 27001.

vsRisk is available in the following formats:

  • vsRisk Standalone – a single user, desktop-based tool.
  • vsRisk Multi-user – fully accessible from a remote network server and available for use by up to ten concurrent risk assessors.

vsRisk includes additional add-ons, such as:

vsRisk is straightforward and quick to use, and can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

vsRisk includes the following powerful features:

  • A sample risk assessment template that includes:
    • A library of assets, pre-assigned to organisational roles that typically manage those assets.
    • Pre-selected threats and vulnerabilities (risks), applied to each asset group.
    • The relevant ISO 27001:2013 controls pre-applied to each risk.
  • Track risks, actions and priorities from dashboard views.
  • Includes seven different control sets.
  • Apply implementation details.
  • Collaborate with multiple users or assessors.
  • Add comments and deadlines.
  • Draw, edit and print instant, audit-ready reports.

Request a free one-to-one demonstration of vsRisk from its manufacturer, Vigilant Software. Click here to find out more >


For stress-free ISO 27001 risk assessments, vsRisk saves 80% of your time and ensures 100% accuracy >>