If there’s one thing that all ISO management systems have in common, it’s the management of risk.
The options for how to approach risk assessment.
If there’s one thing that all ISO management systems have in common, it’s the management of risk.
Whether it’s health and safety, quality, environmental management or – as in the case of ISO 27001 – information security, the goal is consistent: to reduce the likelihood of incidents, minimise their impact if they do occur, and learn from them to improve processes. Many organisations use the PDCA (Plan-Do-Check-Act) approach to embed this cycle of continuous improvement.
Over the last decade, ISO standards have been re-written to follow a common high-level structure, putting even more emphasis on risk assessment.
In ISO 27001, clause 6.1.2 specifically requires organisations to “define and apply” a risk assessment process. This means not only designing a methodology but documenting it clearly to demonstrate your thinking to an auditor – and most importantly of all, ensuring it is actually applied in practice. Risk assessment in ISO 27001 is not just paperwork; it’s a tool for informed decision-making.
Common approaches to ISO 27001 risk assessment
ISO 27001 does not prescribe a specific method for assessing risk. This is a common misconception: ISO standards are rarely prescriptive. What ISO 27001 does require is that your risk assessment methodology should produce consistent, valid and comparable results. The aim is to ensure that decisions are based on structured analysis rather than guesswork, while still being practical and actionable.
It’s also important to acknowledge that perfection is unattainable. There will also be “unknown unknowns”, and trying to achieve flawless risk assessment can create overly complex systems that staff cannot follow, potentially worsening outcomes rather than improving them.
Common approaches to ISO 27001 risk assessment
Organisations often take different approaches to developing a risk assessment methodology:
- Off-the-shelf tools: Many commercial products exist, and while they can be effective, there is often a learning curve that staff may struggle to overcome.
- Borrowing methods from others – Adopting a colleague’s system can save time but may not fit your organisation’s specific needs. Without understanding the rationale behind it, the approach can fail fast.
- In-house design by a single individual – While having a ‘risk champion’ is helpful, risk is ultimately everyone’s responsibility. Risk owners need to understand what they are signing off on; this becomes challenging if only one person holds that knowledge, particularly if they leave the organisation.
The goal of any risk assessment methodology is to create a system that is understandable, actionable, and aligned with management objectives, allowing leaders to make informed decisions about risk.
Practical steps for developing a risk assessment methodology
If the above approaches don’t suit your organisation, here’s a practical method:
- Bring key managers together – Encourage discussion and debate to reach a consensus on how risks should be assessed and prioritised.
- Clarify terminology – Misunderstandings of basic concepts is a common source of confusion. Make sure everyone understands the definitions of the following:
- Risk
- Threat
- Vulnerability
- Likelihood
- Impact
- Define your objectives – What are you aiming for? What are the most important things to your organisation? What is your risk appetite? How much money do you have to spend? What are the resources you have? Remember, perfect security is unattainable.
- Address the core principles of information security – Ensure your assessment includes
. Confidentiality, Integrity and Availability of information. You need to include all three of those – they aren’t optional.
- Choose the right level of complexity –
A risk assessment does not need to be numbers based. Qualitative methods can be just as effective if they provide clarity and guide decisions.
The overarching purpose of a risk assessment is not to produce perfect metrics but to provide a practical tool for decision-making. It should highlight problem areas, suggest actions, and support managers in making informed, balanced choices.
Over-complication or overemphasis on scoring systems can reduce usability, whereas a clear, accessible methodology ensures staff engagement and better outcomes. Remember, risk assessment is a decision-support tool, not a punitive measure.
By keeping your risk assessment methodology simple, consistent, and aligned with ISO 27001 requirements, your organisation will be well-positioned to manage information security risks effectively while remaining compliant with the standard.
