Request a Proposal
Compliance Council Location


14 January 2019
Information Security

ISO 27001: 6-Step Guide to Risk assessment and treatment

ISO 27001 establishes the requirement that information security risk management is a critical component of an information security management system. This six-step guide walks organisations through the necessary risk assessment and the methods to address any concerning areas.

Step 1: Identify the Risk

ISO 27001 defines risks by anything that can impact information confidentiality, integrity and availability. The organisation has criteria that covers what the risks are and accepting them.


Step 2: Identify the Person Responsible

Who is the individual responsible for a risk and what actions can they take in the event of a security incident? The risk owner may need access to sensitive systems or emergency solutions to react to a problem. This step also establishes accountability for every accepted risk.


Step 3: Prioritise Risks

Businesses balance the damage potential of a risk and whether it's likely to happen. The priority list should focus on how big of a problem the risk is in the event that it occurs and whether the company faces a realistic chance of it coming up. Some risks can be catastrophic for a business but have such a small occurrence rate that it's not worth devoting resources to.


Step 4: Associate the Risks with Controls

Each risk is mapped to a control in Annex A of ISO 27001. Companies have 114 controls to choose from, and a risk can have more than one applicable option. A Statement of Accountability explains why the control is associated with the risk and whether it's been implemented or not.


Step 5: Create a Treatment Plan for the Risks

A risk treatment plan is a document that covers the controls in place to minimise risk impact, who the risk owners are, whether the associated controls have already been deployed and the statuses of any initiatives.


Step 6: Risk Monitoring and Review

Companies need to stay on top of the changing risk landscape. Risk monitoring encompasses accounting for any assets that have been added to the infrastructure, new threats that have emerged, potential vulnerabilities and any security incidents.

Risk assessment and treatment is a critical part of compliance with ISO 27001. Organisations that have questions about managing their risks can work with an ISO 27001 consultant to ensure that they have everything covered.