When organisations seek to achieve the ISO 27001 certification, they must have an appropriate risk assessment procedure. It is required to determine the key information security risks that should be addressed by their newly implemented Information Security Management System (ISMS).

The risk assessment is a continuous process. A requirement (i.e., under clause 6) of the ISO 27001 standard clearly states that an organisation must define and execute a specific risk assessment process. Therefore, information security risk assessment should be considered a formal process conducted periodically by dedicated information security officials. In other words, it should be made a core part of the ISO 27001 based ISMS. The aim of this article is to explain how organisations can conduct their risk assessment successfully.  The following section elaborates on the procedure of a successful risk assessment.


Methodology of Information Security Risk Assessment for an ISO 27001 Certified ISMS

These are the mandatory steps that your organisation should include in the information security risk assessment methodology.

  1. Formulating a Risk Management Framework

For conducting the risk assessment across your organisation’s processes successfully, you need to have a strong well-formulated framework. It should define the conditions and scope for conducting the assessment annually/quarterly and whenever there is some change in your organisation or information systems. Therefore, to formulate the framework you need to compile a complete list of the information systems and information assets of your organisation, involving every area and member of the organisation.

The framework should specifically mention how to identify risks, how to declare the ownership of a risk, how to measure the consequence of the risk or damage to organisation’s integrity, and what is the likelihood of a risk to occur.

  1. Risks Identification

Knowing all the potential risks is important to determine appropriate corrective or preventive measures. The risks that can affect the confidentiality and integrity of your business must be identified first. Other than these, you need to identify the cyber-threats or vulnerabilities to your information systems and available information assets. No doubt, risk assessment is a time-consuming process. It involves a thorough evaluation of all information systems and assets across every process or department of your organisation. 

It is hence recommended to follow a streamlined approach for risk identification. As you already have a list of information assets, you can proceed well. You need to evaluate the activities related to those assets to identify the probable risks or cybersecurity threats. 

  1. Analysis of Risks

Following the identification of risks, you need to analyse the risks to measure their impacts on the integrity and privacy of your organisation. You should examine the risks to each of your assets, IT systems, and information processes to determine their level of severity and consequences. Even manual thefts such as stealing personal mobile devices of employees are also considered as a risk.  Therefore, any risk to an employee’s personal information assets should also be considered as a risk and analysed to determine the consequences on the business. Any such vulnerability at the individual level arises when there is no formal policy for information security for the members of the organisation.

  1. Evaluation of Risks

Evaluation of the risks involves figuring out the actions required to address the risks depending on their severity. It is wasteful or not judicious to respond to every risk in an equal way because some may not have any impacts at all or have a negligible chance of occurrences. Therefore, evaluation of every risk carefully is necessary to prioritise the risks and treat them accordingly. Usually, a risk assessment matrix is used for evaluation where the vertical axis represents the probability of risks (low to very high) and the horizontal axis represents the extent of damage caused by them (low to very high).

  1. Risk Treatment

The last part of the risk assessment methodology is about deciding the options to treat the information security risks according to their priority. There are many ways by which your organisation can mitigate and prevent the risks from reoccurring.  They include elimination of the risk, modifying or alleviating the risk with effective controls, sharing the risk with an outsourcing partner, and retaining the risk (only when it is under the risk acceptance criteria).


These are inevitable procedures of an information security risk assessment which you must follow to secure your ISO 27001 certification. Getting the assessment process done right is not only a necessity for achieving the ISO 27001 standard for your ISMS, but it also acquaints you with information vulnerabilities. As a result, you can prepare to tackle your risks by implementing necessary preventive and corrective actions well. The actions should be decided collectively by the management team members and information security officials. Hence, after you complete the risk assessment, you should report all the findings and risks comprehensively.  They should be evaluating the assessment report by holding meetings and discuss plans for implementing the actions.

Author's Bio: 

Damon Anderson is the head consultant and owner of a renowned ISO consultancy in Australia that works to assist organisations through the certification process of various ISO standards. He is also a specialist in the ISO 27001 certification who likes to make organisations aware of the Information Security Management System (ISMS) and guides them to achieve ISO 27001 for it through his write-ups.

Contact Details:
Business Name: Compliancehelp
Email: sales@compliancehelp.com.au
Phone: 1800 503 401