Risk Assessment (ISO 27001)

Risk assessment is the process by which your organisation systematically identifies, analyses and evaluates information security risks. It is one of the central requirements in ISO 27001 and the foundation for selecting the right security controls in your ISMS.

Back to Dictionary

What is risk assessment?

In ISO 27001, risk assessment is the process by which an organisation identifies risks to the confidentiality, integrity and availability of its information assets. The process forms the basis for all subsequent decisions on security controls and is a mandatory requirement in the standard (clause 6.1.2).

A risk assessment in the ISO 27001 context is about understanding what could go wrong, how likely it is and what consequence it would have for the organisation. The result is used to prioritise which risks should be treated and how.

The risk assessment process

ISO 27001 requires a consistent and reproducible method. A typical process contains the following steps:

Risk identification: Map information assets and identify threats, vulnerabilities and possible consequences.
Risk analysis: Assess the likelihood and impact of each identified risk.
Risk evaluation: Compare the analysed risk level against the organisation's risk criteria and decide which risks are acceptable.

Risk treatment

After the risk assessment, a risk treatment plan is developed. Risks can be treated in four ways:

Modification: Implement controls from Annex A to reduce the risk.
Avoidance: Cease the activity that creates the risk.
Sharing: Transfer the risk to a third party (e.g. via insurance or outsourcing).
Acceptance: Accept the risk if it falls within risk criteria.

Documentation requirements

ISO 27001 requires documented information on the results of the risk assessment. This means you must have documentation for the identified risks, the chosen method, results and decisions on risk treatment. These documents are typically subject to external audit during certification.

Risk owners: ISO 27001 requires that a risk owner is designated for each risk. This is the person or function responsible for deciding how the risk should be treated and for monitoring whether treatment is effective.

Frequently Asked Questions about Risk Assessment (ISO 27001)

What is a risk assessment in ISO 27001?

A risk assessment in ISO 27001 is a systematic process in which the organisation identifies threats and vulnerabilities, assesses likelihood and impact, and decides which risks should be treated. The result forms the basis for selecting security controls.

How often must risk assessments be performed?

ISO 27001 requires risk assessments to be carried out at planned intervals and whenever there are significant changes. In practice, at least once a year is recommended, as well as after major organisational or technological changes.

What is the difference between risk identification and risk analysis?

Risk identification is about finding and mapping risks, whilst risk analysis is about assessing the likelihood and impact of each risk. Both steps form part of the overall risk assessment process.

What are the four risk treatment options?

ISO 27001 recognises four ways to treat risk: modification (implement controls to reduce the risk), avoidance (cease the risk-creating activity), sharing (transfer the risk to a third party) and acceptance (accept the risk within defined criteria).

What documentation does ISO 27001 require for risk assessment?

ISO 27001 requires documented information on the risk assessment methodology, the identified risks, the analysis results and decisions on risk treatment. These documents are subject to external audit during certification.