Blog · guide

ISO 27001 risk assessment — why it is the hardest and most important part

A flawed risk assessment is the number one reason ISO 27001 implementations go wrong. A guide to the risk register, SoA, and risk treatment plan.

~2 min read · 338 words

Additional insights 1

When companies say their ISO 27001 implementation 'went wrong', the reason is almost always the same: a flawed risk assessment at the start. The rest of the ISMS — policies, controls, procedures — is built on that foundation. If the foundation is wrong, a year of work amounts to documentation that does not reflect the actual state of the organisation.

Risk assessment in ISO 27001 is not a one-time task done and forgotten. The standard requires regular review — typically annually or after a significant change: a new system, new supplier, new service, or incident. Many organisations produce an excellent first assessment, achieve certification, and then allow the risk register to go stale. This is a common reason for a major non-conformity at the recertification audit.

Additional insights 2

The methodology does not need to be complicated. ISO 27001 does not prescribe a specific method — it requires that the method be documented, consistent, and cover all relevant information assets. Popular methods include a simple likelihood × impact matrix (5×5 or 3×3), OCTAVE Allegro, and FAIR for a quantitative approach. For most SME organisations, a well-structured 5×5 matrix with clearly defined criteria is entirely sufficient.

What is most often missed: cloud providers and SaaS tools the organisation uses (Google Workspace, CRM, accounting software), access by former employees that was never deactivated, undocumented shadow IT systems used by individual teams, and the physical security of premises and document destruction equipment.

Additional insights 3

The risk treatment plan (RTP) is equally important as the assessment itself. For each identified risk you must decide: accept it, reduce it with a control, transfer it (insurance, supplier contract), or avoid it (discontinue the activity). Annex A of ISO 27001 provides 93 controls — you do not have to implement all of them, but for every one you exclude, the SoA must document why.

Our vCISO leads the risk assessment as part of the implementation service — including workshops with key stakeholders, risk register documentation, SoA, and RTP. If you are mid-implementation and stuck on this step, book a call.