ISO 27001
7 min read
ISO 27001 Risk Assessment Guide: Methodology, Process & ISO 27005 Alignment
Risk assessment is the foundation of the ISO 27001 Information Security Management System. Clause 6.1.2 requires organizations to define and apply an information security risk assessment process that establishes risk criteria, ensures consistent and repeatable results, and identifies risks to the confidentiality, integrity, and availability of information. The risk assessment drives every subsequent ISMS decision, from control selection to resource allocation. This guide covers methodology selection, the assessment process, risk treatment planning, and alignment with ISO 27005.
Table of Contents
Risk Assessment Requirements Under ISO 27001
ISO 27001 Clause 6.1.2 establishes the requirements for risk assessment but intentionally avoids prescribing a specific methodology, giving organizations flexibility to choose an approach appropriate to their context. The standard requires that the risk assessment process establishes and maintains information security risk criteria including risk acceptance criteria and criteria for performing risk assessments. The process must ensure that repeated risk assessments produce consistent, valid, and comparable results. Organizations must identify risks associated with the loss of confidentiality, integrity, and availability of information within the scope of the ISMS. They must analyze identified risks by assessing the potential consequences if the risks materialized and the realistic likelihood of occurrence, and then determine the level of risk. Finally, organizations must evaluate the analyzed risks by comparing results against established risk criteria and prioritize risks for treatment. The standard also requires that the risk assessment process and its results be documented. Clause 8.2 requires that risk assessments are performed at planned intervals or when significant changes are proposed or occur. This means the risk assessment is not a one-time activity but an ongoing process that must be maintained throughout the ISMS lifecycle.
- ISO 27001 requires a risk assessment process but does not prescribe a specific methodology
- Risk criteria including acceptance thresholds must be established and maintained
- Repeated assessments must produce consistent, valid, and comparable results
- Risks must be identified for confidentiality, integrity, and availability of information
- Risk assessment must be performed at planned intervals and when significant changes occur
Choosing a Risk Assessment Methodology
Organizations can choose from several established risk assessment methodologies, and the choice should align with organizational size, complexity, and existing practices. Asset-based risk assessment identifies information assets first, then evaluates threats and vulnerabilities for each asset. This is the most traditional approach and aligns well with ISO 27005. It provides granular results but can be time-consuming for large organizations with many assets. Scenario-based risk assessment identifies realistic threat scenarios relevant to the organization and evaluates their likelihood and impact. This approach is more efficient for large environments and focuses attention on the most relevant threats rather than attempting to catalog every possible risk. Factor-based approaches use predefined risk factors such as threat capability, vulnerability exposure, and asset value to calculate risk levels using qualitative or quantitative scales. NIST SP 800-30 and OCTAVE are well-known factor-based methodologies. Quantitative approaches attempt to assign monetary values to risk, calculating Annual Loss Expectancy (ALE) from Single Loss Expectancy and Annual Rate of Occurrence. While theoretically appealing, purely quantitative approaches are difficult to apply accurately in information security due to limited actuarial data. Most organizations use qualitative or semi-quantitative approaches with defined scales for likelihood and impact, producing risk levels such as Low, Medium, High, and Critical. Whatever methodology is chosen, it must be documented, approved by management, and applied consistently.
- Asset-based approaches provide granular results but can be time-consuming for large organizations
- Scenario-based approaches focus on realistic threats and are more efficient for large environments
- Factor-based methodologies like NIST SP 800-30 and OCTAVE are well-established alternatives
- Most organizations use qualitative or semi-quantitative approaches with defined scales
- The chosen methodology must be documented, management-approved, and consistently applied
Asset Inventory and Information Classification
An effective risk assessment begins with a comprehensive understanding of what information assets the organization holds and their relative importance. ISO 27001 Annex A control A.5.9 requires an inventory of information and other associated assets, and A.5.10 requires acceptable use rules. Information assets include databases and data files, system documentation, user manuals, training materials, operational and support procedures, contracts and agreements, and business continuity plans. Supporting assets include application software, system software, development tools, physical infrastructure, network equipment, and third-party services. Each asset should be assigned an owner responsible for ensuring appropriate protection. Information classification under A.5.12 and A.5.13 assigns sensitivity levels to information based on its value, legal requirements, criticality, and sensitivity to unauthorized disclosure or modification. Common classification schemes use levels such as Public, Internal, Confidential, and Highly Confidential. The classification level directly influences the risk assessment because the impact of a breach increases with the sensitivity of the information involved. A thorough asset inventory and classification exercise before the risk assessment ensures that no significant assets are overlooked and that risk evaluation accurately reflects the importance of affected information.
- Asset inventory must cover information assets, supporting assets, and third-party services
- Each asset should have an assigned owner responsible for its protection
- Information classification assigns sensitivity levels based on value, legal requirements, and criticality
- Classification levels directly influence risk impact assessments
- Completing inventory and classification before risk assessment ensures comprehensive coverage
Threat Identification and Vulnerability Analysis
Threat identification catalogs the potential events or actions that could harm information assets. Threats can be categorized as natural (earthquakes, floods, storms), environmental (power failures, temperature extremes), human intentional (hacking, social engineering, insider threats, espionage), human unintentional (configuration errors, accidental deletion, lost devices), and technical (hardware failure, software bugs, capacity overload). Sources for threat identification include industry threat reports and intelligence feeds, vulnerability databases such as CVE and NVD, incident history from the organization and its industry, regulatory guidance and compliance frameworks, and the new ISO 27001:2022 Annex A control A.5.7 on threat intelligence. Vulnerability analysis identifies weaknesses in the organization's assets, controls, or processes that threats could exploit. Vulnerabilities exist across technical domains (unpatched software, weak configurations, inadequate encryption), organizational domains (insufficient policies, lack of training, unclear responsibilities), physical domains (inadequate facility security, exposed cabling, poor environmental controls), and procedural domains (missing processes, inconsistent procedures, lack of monitoring). The combination of a relevant threat exploiting a specific vulnerability against a particular asset constitutes a risk. Documenting these combinations in a structured risk register enables systematic analysis, prioritization, and treatment. The risk register becomes the central artifact of the risk assessment process and the foundation for all subsequent risk treatment decisions.
- Threats include natural, environmental, human (intentional/unintentional), and technical categories
- Threat intelligence from industry sources, CVE databases, and incident history informs identification
- Vulnerabilities span technical, organizational, physical, and procedural domains
- The combination of threat, vulnerability, and asset constitutes a risk for the register
- The risk register is the central artifact driving all risk treatment decisions
Risk Evaluation and Treatment Planning
Risk evaluation combines the assessed likelihood and impact to determine a risk level for each identified risk. Using a typical 5x5 risk matrix, likelihood ratings from Very Low to Very High are cross-referenced with impact ratings to produce risk levels. Each risk is then compared against the organization's defined risk acceptance criteria to determine whether treatment is needed. Risks below the acceptance threshold may be accepted by the risk owner with documented justification. Risks above the threshold must be treated. Risk treatment options under ISO 27001 include risk modification (implementing controls to reduce likelihood or impact), risk avoidance (eliminating the activity that creates the risk), risk sharing (transferring the risk through insurance, outsourcing, or partnerships), and risk retention (accepting the risk with documented justification when it falls within acceptance criteria after treatment). The risk treatment plan documents which option is selected for each risk, the specific controls or actions to be implemented, the responsible parties and timelines, and the expected residual risk level after treatment. Control selection should reference Annex A as a minimum, but organizations may select controls from any source including NIST, CIS Controls, or industry-specific frameworks. The Statement of Applicability documents which Annex A controls were selected as a result of the risk treatment process and justifies any exclusions.
- Risk evaluation combines likelihood and impact using defined scales and risk matrices
- Risks above acceptance thresholds must be treated; those below may be accepted with documentation
- Treatment options: modify (controls), avoid (eliminate activity), share (transfer), or retain (accept)
- The risk treatment plan documents controls, owners, timelines, and expected residual risk
- Control selection references Annex A as minimum but may include NIST, CIS, or other sources
ISO 27005 Alignment and Continuous Improvement
ISO 27005 provides detailed guidance on information security risk management that aligns directly with ISO 27001 requirements. While ISO 27005 is not mandatory for ISO 27001 certification, it provides a well-structured framework that many organizations find valuable for implementing their risk assessment process. ISO 27005 defines the risk management process as context establishment, risk identification, risk analysis, risk evaluation, risk treatment, risk acceptance, risk communication and consultation, and risk monitoring and review. This aligns closely with the ISO 27001 Clause 6.1.2 requirements and provides additional guidance on each step. The standard emphasizes that risk management is iterative and continuous. Initial assessments establish the baseline, but the risk landscape evolves constantly with new threats, changing business operations, and shifting regulatory requirements. Organizations should conduct full risk assessments at planned intervals, typically annually, and perform targeted assessments when significant changes occur such as new systems, business process changes, security incidents, or organizational restructuring. The continual improvement cycle (Plan-Do-Check-Act) ensures that risk assessment outcomes feed back into ISMS improvements, creating a positive feedback loop where each assessment cycle strengthens the organization's security posture. Management review should evaluate risk assessment results and determine whether the risk assessment process itself remains appropriate and effective.
- ISO 27005 provides detailed risk management guidance aligned with ISO 27001 requirements
- ISO 27005 is not mandatory for certification but provides a well-structured implementation framework
- Risk management is iterative: full assessments annually with targeted assessments on change
- The Plan-Do-Check-Act cycle ensures risk assessment improvements feed back into the ISMS
- Management review should evaluate both risk results and the effectiveness of the process itself
Key Takeaways
- Risk assessment is the foundation of the ISMS, driving all control selection and resource allocation decisions
- ISO 27001 requires a consistent, repeatable process but does not prescribe a specific methodology
- Asset inventory and information classification must be completed before meaningful risk assessment
- Threats span natural, environmental, human, and technical categories across technical, organizational, physical, and procedural domains
- Risk treatment options include modification, avoidance, sharing, and retention with documented justification
- ISO 27005 provides detailed aligned guidance but is not mandatory for certification
- Risk assessment is continuous, with full assessments annually and targeted assessments on significant change
Frequently Asked Questions
What risk assessment methodology should I use for ISO 27001?
ISO 27001 does not prescribe a specific methodology. Common choices include asset-based approaches (aligned with ISO 27005), scenario-based approaches, and factor-based methodologies like NIST SP 800-30 or OCTAVE. Choose based on your organization's size, complexity, and existing practices. The methodology must be documented and produce consistent, repeatable results.
How often should ISO 27001 risk assessments be performed?
Full risk assessments should be performed at planned intervals, typically annually. Additionally, targeted assessments are required when significant changes occur such as new systems, business process changes, security incidents, or organizational restructuring. The risk assessment is a continuous process, not a one-time activity.
What is the difference between risk assessment and risk treatment?
Risk assessment identifies, analyzes, and evaluates risks by determining their likelihood and impact. Risk treatment determines how to address identified risks through modification (controls), avoidance, sharing, or retention. Risk assessment informs treatment decisions; treatment implements the response to assessed risks.
Do I need ISO 27005 for ISO 27001 certification?
No. ISO 27005 is a guidance standard, not a requirement for ISO 27001 certification. However, it provides detailed risk management guidance that aligns well with ISO 27001 Clause 6.1.2 requirements and many organizations find it valuable for structuring their risk assessment process.
What is a risk register in ISO 27001?
A risk register is the central document that catalogs all identified risks, their assessed likelihood and impact, current risk levels, treatment decisions, control assignments, risk owners, and residual risk levels. It serves as the foundation for risk treatment planning and ongoing risk management.
How do I determine risk acceptance criteria?
Risk acceptance criteria define the threshold below which risks are acceptable without further treatment. They should be established by management based on the organization's risk appetite, business objectives, legal requirements, and stakeholder expectations. Criteria are typically expressed as risk levels (e.g., Low and Medium risks are accepted, High and Critical require treatment).
Generate ISO 27001 policies automatically
PoliWriter creates all the policies you need for ISO 27001 compliance, customized to your organization. AI-powered, audit-ready, hours not months.
Get Started Free