How to Perform an ISO 27001 Risk Assessment

June 13, 2022

A risk assessment is a critical part of the ISO 27001 process. And for obvious reasons. In order to address and correct the information security risks your organization faces, you first need to identify them. An ISO 27001 risk assessment is an excellent way to systematically and comprehensively identify and evaluate information security risks.

In other words, the ISO 27001 risk assessment isn’t simply an unstructured analysis. It’s an opportunity to get everyone within your company on the same page and precisely define your risk metrics and methodologies.  

That may sound complicated, so let’s break the process down step by step.

ISO 27001 risk assessment checklist

ISO 27001 risk assessment checklist

Let’s start at the beginning. If you’re reading this, you likely already appreciate that ISO 27001 is one of the most recognized and respected information security standards globally.  Successfully implementing an ISO 27001  information security management system (ISMS) is a rigorous, multi-step process. 

How do you know which risks to assess?

In fact, there is a considerable amount of preparatory work that needs to happen before the risk assessment even takes place. The company should appoint a team to drive the process and draw up an implementation plan. You then should define the scope of your ISMS. That is, systems, assets and departments are to be covered by the ISMS.

Defining the scope is a crucial strategic decision. If it is too broad, implementing ISO 27001 may be too complex, unwieldy and expensive. On the other hand, if the scope is too narrow, you risk gaps in your data security. Carefully defining the scope is a good way to ensure critical infrastructure and processes aren’t being overlooked in your overall information security process. 

The process to determine the scope of your ISMS occurs prior to the risk assessment. But we can see how they are related. The ISO 27001 risk assessment procedure is a structured, targeted process performed according to the implementation plan and within the defined scope.

Evaluating risk 

Within the framework detailed above, the risk assessment is the process that aims to identify data security risks to the company. The assessment should also determine how likely each risk is to occur and the potential consequences for the organization. 

The risk assessment is followed by risk treatment, which aims to remedy the identified risks.

Implementing the ISO 27001 risk assessment & treatment

ISO 27001 risk assessment & treatment

The risk assessment is much easier to understand and manage when you break it down into its component parts. This brief risk assessment checklist will help you cover all your bases.

Define your assessment methodology

ISO 27001 doesn’t precise a methodology for assessing risk. It’s up to you to ensure you devise a comprehensive approach that ensures everyone in the organization is on the same page. What metrics and rules will you use to measure risk? What scale will everyone grade risks on? Will it be qualitative (e.g. defined by subjective metrics like low, medium or high risk) or quantitative (with numerical values assigned to risk)? 

Consider an asset-based risk approach

There are two paths for assessing risk under ISO 27001: scenario-based and asset-based. 

A scenario-based risk assessment works by positing risk scenarios and then considering what factors would produce that risk. The approach is relatively simple and fast, but there is a significant possibility of overlooking critical risk factors. 

With an asset-based approach, each asset within the organization is carefully assessed for vulnerabilities. This approach is more time-consuming, but it is generally more robust and comprehensive.  

What is the risk impact?

Once you have determined threats and vulnerabilities within your organization, you should evaluate the consequences of each risk. 

Doing so will help you prioritize which controls to implement. Threats and vulnerabilities that potentially produce the biggest impact need to be dealt with accordingly. 

For example, threats that could be reputationally damaging or lead to significant financial losses will naturally be prioritized. 

By contrast, some vulnerabilities may be associated with relatively low risk impact. Ameliorating such risks will be a lower priority. Some businesses may even decide to accept such risks, considering the relatively low potential harm. 

Create a risk treatment plan

Once you have identified risks, you need to account for how you will address each one. As detailed above, not every vulnerability will necessarily be deemed high priority.

According to the ISO 27001 protocol, there are four recognized actions you can take to address a vulnerability:

  • Treat: Implement controls to mitigate the chances of the risk occurring
  • Avoid: Prevent the conditions in which the risk could take place
  • Transfer: Engage a third party to mitigate the risk (e.g. insurance)
  • Retain: Accept the risk because the cost of dealing with it is higher than the potential impact  

Don’t hesitate, automate: ISO 27001 risk assessment tool

Implementing a risk assessment is a complex process. There is an enormous amount of data that needs to be collected, often spanning multiple departments. The process involves close coordination, clear lines of communication. Plus you need up-to-date information about the latest policies and access to approved templates.  

The procedure may sound overwhelming. However, dedicated compliance technology greatly simplifies the whole process.  Consider how Scytale’s automation platform automates evidence collection and streamlines workflow. Customers can complete their risk assessment quickly and independently. Customers can then receive the full evidence of the process immediately. In fact, having a powerful automated ISO 27001 risk assessment at your disposal can make all the difference – making a massively time-consuming and expensive process faster, more cost-effective and efficient. See how our customers got fully prepared fast and effortlessly for their audit using our automation platform.

By eliminating human error and enhancing your ability to monitor your systems, automation also simply means better information security all round. 

Addressing risks and getting certified 

The risk assessment is just one component of your overall risk management strategy. Once methodically determined vulnerabilities within the organization, and methodically calculated how best to treat them, it’s time to take remedial action.

We can now appreciate just how important the risk assessment is. The process involves aligning the organization along a defined methodology and defining a process by which to assess risk. Risk assessment also helps critically evaluate which vulnerabilities present the greatest potential impact to the company. The process is demanding, but undertaken correctly, it can provide powerful insights into how your organization is structured, what its strengths and weaknesses are, and help clarify long-term objectives.