ISO 27001 Risk Assessment: The Methodology That Satisfies Your Auditor

The risk assessment is the engine of your ISMS. Every control you implement, every policy you write, and every procedure you follow should trace back to an identified risk. ISO 27001 Clause 6.1 requires a systematic approach to identifying, analyzing, and evaluating information security risks, but it does not prescribe a specific methodology.

This flexibility is both an advantage and a pitfall. Organizations can choose a methodology that fits their size and complexity, but many choose poorly, resulting in risk assessments that look good on paper but do not reflect actual threats to their business.

Choosing a Methodology

Risk Criteria and Scales

Before assessing risks, define your risk criteria: the scales for likelihood and impact, the method for calculating risk level, and the threshold for risk acceptance. These criteria must be documented and approved by management.

Likelihood scale

• Rare (1) - May occur only in exceptional circumstances, less than once every 5 years
• Unlikely (2) - Could occur but not expected, approximately once every 2-5 years
• Possible (3) - Might occur, approximately annually
• Likely (4) - Will probably occur, multiple times per year
• Almost certain (5) - Expected to occur frequently, monthly or more

Impact scale

• Negligible (1) - Minimal business impact, easily recoverable
• Minor (2) - Limited impact on operations, recoverable within hours
• Moderate (3) - Noticeable impact on operations or reputation, recoverable within days
• Major (4) - Significant business disruption, regulatory attention, or customer impact
• Critical (5) - Severe business disruption, existential threat, major regulatory action

Risk Treatment

For each risk above your acceptance threshold, select a treatment option. The risk treatment plan documents which controls from Annex A (or other sources) address each risk, the implementation timeline, the responsible owner, and the expected residual risk after treatment.

After treatment, the residual risk must be formally accepted by management. This acceptance should be documented and reviewed during management reviews. If the residual risk exceeds your acceptance criteria, additional treatment is required.

Common Risk Assessment Mistakes

• Generic risks only. Listing risks like "data breach" or "cyberattack" without specificity. Risks should describe specific threat actors exploiting specific vulnerabilities with specific impacts
• Copy-paste from templates. Using a risk register template without customizing it to your organization. Auditors can immediately identify generic risks that do not reflect your actual business
• Ignoring non-technical risks. Focusing only on technology risks while ignoring people risks (social engineering, insider threats) and process risks (inadequate change management, poor vendor oversight)
• Static assessment. Performing the risk assessment once for certification and never updating it. Your risk landscape changes with every new system, vendor, and business process change
• No management involvement. Conducting the risk assessment entirely within the IT department without business context. Risk impact must be evaluated from a business perspective, which requires input from business stakeholders

Lorikeet Security Team

Penetration Testing & Cybersecurity Consulting

We've completed 170+ security engagements across web apps, APIs, cloud infrastructure, and AI-generated codebases. Everything we publish here comes from patterns we see in real client work.