ISO 27001 Risk Assessment 101: Identifying and Treating Information Security Risks

Risk assessment sits at the heart of ISO 27001. It’s the bedrock process that helps organisations understand precisely what could go wrong with their information and decide how to guard against these threats. Although risk assessment can sound like a purely technical exercise, it’s every bit as crucial for decision-makers who need to interpret the results and approve the necessary investments. In this post, we’ll demystify the essential elements of ISO 27001 risk assessment—what it entails, the steps involved, and how to move seamlessly from identifying risks to treating them.

What ISO 27001 Requires for Risk Assessment

Clause 6.1.2 of ISO 27001 is clear: organisations must systematically identify information security risks and decide how to manage them. You need a documented process that outlines how you discover potential threats, analyse them, and determine the best course of action for each. A few key terms underpin this requirement:

• Assets: The information, software, devices, services, and facilities you’re protecting.
• Threats: Events or actors that can cause harm (e.g., cyberattacks, insider abuse, fire).
• Vulnerabilities: Weaknesses or flaws that a threat can exploit (e.g., unpatched software).
• Risk Owners: Individuals responsible for ensuring specific risks are properly managed.
• Risk Criteria: Your organisation’s thresholds for accepting risk—defining which risks require action and which can be tolerated.

By establishing these definitions from the outset, your teams know precisely what they’re looking for and how to evaluate the risks they find.

Steps to Conduct a Risk Assessment

1. Identify Assets and Owners

Start by listing all critical information assets. Think broadly—data, software, hardware, cloud services, even physical locations. For each asset, appoint an owner who has responsibility for its security. This step ensures accountability: if something goes wrong, there’s a dedicated point of contact with decision-making authority.

2. Identify Threats and Vulnerabilities

Next, brainstorm the threats (like ransomware, physical break-ins, or accidental data loss) and vulnerabilities (such as missing patches, weak passwords, or lax physical security) that could compromise each asset. The aim is to map out all realistic attack or failure scenarios. Be thorough but also practical—focus on threats that genuinely align with your business context.

3. Evaluate Risk (Likelihood and Impact)

Once threats and vulnerabilities are identified, measure likelihood (how probable is this event?) and impact (what would be the consequences?). Some organisations use a simple Low/Medium/High scale; others employ a numeric scoring system (e.g., 1 to 5). Multiply or combine these factors to arrive at a risk level. High-likelihood and high-impact scenarios obviously demand more urgent attention.

4. Prioritise Risks

Compare the calculated risk levels against your organisation’s risk acceptance criteria. High-scoring risks typically need immediate or more robust treatment, while low-level risks might be acceptable (or at least require less extensive mitigation). Establishing these thresholds ahead of time ensures consistent decision-making across the board.

Risk Treatment Planning

Clause 6.1.2 also specifies creating a risk treatment plan—essentially documenting how you intend to address each significant risk. According to ISO 27001 guidelines, you have four main options:

1. Mitigate: Implement new or improved controls to reduce the risk.
2. Transfer: Offload some or all of the risk to a third party (e.g., insurance or an outsourced provider).
3. Accept: Choose to do nothing for low-priority risks, understanding the potential consequences.
4. Avoid: Discontinue the risky activity altogether if it’s deemed too hazardous or not mission-critical.

Each risk you consider “unacceptable” based on your criteria should have a corresponding treatment action. If, for example, your biggest risk is a targeted cyberattack exploiting old software, your plan might include aggressive patch management, network segregation, and enhanced monitoring.

Selecting Controls (Risk Treatment)

ISO 27001 provides a reference list of security controls in its Annex A. While you’re not strictly required to implement all of them, you must at least review and decide whether each control is relevant for your circumstances. Consider typical risks:

• Data Centre Fire
  
  • Potential Controls: Fire suppression systems, environmental monitoring, offsite backups.
• Stolen Credentials
  • Potential Controls: Multi-factor authentication (MFA), strong password policies, security awareness training.

Each control should map back to a specific risk. This alignment proves that you’ve carefully considered how each measure reduces a particular vulnerability or threat. It also makes it easier for auditors (and senior management) to see exactly why you chose certain controls.

Documenting and Approving Risks

All of these decisions typically end up in two core documents:

1. Risk Assessment Report: Details which threats you identified, how likely they are, and what level of risk they pose.
2. Risk Treatment Plan: Outlines the chosen responses (e.g., mitigate, accept) and the timeline for implementing controls.

These documents are then reviewed—and ideally approved—by top management. That visible endorsement ensures accountability at the highest level. Your organisation also needs a Statement of Applicability (SoA), which lists every control in Annex A, states whether it’s implemented, and explains the rationale (based on your risk decisions).

Maintaining the Risk Register

ISO 27001 isn’t a one-and-done exercise. The environment changes, new software is introduced, new business partners are on boarded—each shift can create fresh risks. To stay ahead, organisations maintain a living risk register:

• Scheduled Reviews: At least once a year, re-examine your risk list. Are previous controls still working effectively? Have new threats emerged?
• On-Demand Updates: If a major shift occurs (e.g., a cloud migration, large-scale remote working, or new regulations), reevaluate the relevant risks.
• Version Control: Keep track of updates to the register, so there’s always a record of how decisions evolved over time.

This ongoing vigilance is what transforms ISO 27001 from a “tick-box” compliance project into a robust, proactive security posture.

Conclusion

A thorough risk assessment isn’t just an ISO 27001 compliance requirement—it’s the linchpin of any effective information security strategy. By systematically identifying assets, threats, and vulnerabilities, then deciding how to handle them, you set the stage for stronger, more targeted defences.

If you’re ready to kickstart your own ISO 27001 risk assessment journey‍. As Europe’s first ISO 42001-certified cyber compliance agency, Atoro brings both technical depth and real-world understanding of what it takes to keep your information secure. Let’s work together to identify and treat the risks that matter most.