ISO 27001 Risk Assessment: Best Practices
ISO 27001 certification can only be attained by complying with the 10 mandatory information security management system (ISMS) clauses, two of which explicitly mention risk assessments. This means your organization needs to define a risk assessment process, put it into practice, and make sure it is followed consistently. This will need to be demonstrated in the initial ISMS certification audit and during each subsequent ISMS surveillance audit.
This article walks through the best practices for implementing a compliant ISO 27001 risk assessment approach and making it work effectively with the right tools.
Summary of Best Practices for ISO 27001 Risk Assessment
| Best Practice | Description |
|---|---|
| Understand the ISO clauses related to risk assessment | There are two relevant clauses: •Clause 6 (“Planning”) requires organizations to define and apply risk management processes to promptly capture and address risks. •Clause 8 (“Operation”) demands that risks be reassessed periodically and upon relevant changes. |
| Determine a risk assessment approach | Often, a pure quantitative or qualitative risk assessment methodology has blind spots. To produce the best results, it is recommended to use a mix of both. |
| Determine inherent risks | Accurate risk assessments start with the assumption that no controls are yet in place. This way, the organization is aware of the gross risks, and a risk profile can be determined. |
| Identify mitigation measures based on your internal control system (ICS) | You can map existing controls to identified risks and evaluate where gaps exist, such as insufficient or ineffective controls. |
| Implement a risk register | Risks need to be tracked in a centralized register. Each risk needs to be owned and have an appropriate risk response. |
| Track and report risk mitigation | The end-to-end risk management process is relevant for ISO 27001 and doesn’t stop once the assessment is ready. Identified risks need to be tracked, managed, and reported. |
| Simplify risk management processes with AI capabilities | Automations such as AI-assisted assessments or quality checks can be invaluable in simplifying risk management efforts. |
Understand the ISO Clauses Related to Risk Assessment
To ensure the best outcomes from the surveillance audit and achieve ISO 27001 certification, it is essential to thoroughly understand the requirements outlined in the standard. These can be divided into two important parts: The ISMS clauses, which look at your ISMS framework; and the Annex A Controls, which mandate ISMS controls, albeit discretionarily.
Risk management is an important topic in the ISMS clauses because risks are the key element for building effective controls to address them and are at the center of a custom ISMS approach. Simply looking at the Annex A Controls, while each control may seem necessary, you can’t possibly know the scope and depth to which these need to be effectively implemented without first understanding the specific information security risks in your organization that they should address.
For example, access controls are always a good idea, but what exactly does your organization need? To answer this question, your organization needs to know beforehand what assets exist, which are critical, what threats could occur, how vulnerable they are, and what protection levels are needed for each. This stems from risk assessments and continuous risk monitoring, which is precisely what Clauses 6 and 8 require.
Clause 6: “Planning”
As its title suggests, this is all about preparation to respond to the information security risks that can occur. You need to demonstrate that you’ve designed the following:
A risk management framework: You need a risk management framework, endorsed from the top down, representing a policy that governs risk management processes throughout the organization. The policy must define the terminology to be used for risk management (e.g., material, threat, risk appetite, etc.), the approach for assessing and mitigating risks, and the expectations for reporting and escalating risks.
A risk assessment process: Risk assessments should be embedded in process workflows wherever possible. For instance, as part of business continuity, risks associated with unlikely but potentially major-impact events should be assessed. Another example is risk assessments as part of third-party management, particularly when a new system that connects to your environment is being acquired. These risk assessments must utilize documented methodologies that align with the risk management framework.
A risk treatment process: Identified risks need to have a “risk response,” which typically has four options: treatment (mitigation through controls), acceptance (with proper justification and approval), transference (such as using insurance), or avoidance (stopping the risk-bearing activity). Each organization should define its own risk treatment process and use it for any identified risk resulting from risk assessments.
Clause 8: “Operation”
As risk management is not a one-time or annual exercise, this clause demands that risks be continuously assessed and reported. This effort may be part of the evolving threat landscape, involving lessons learned from incidents, audits, control deficiencies, and any other data points that indicate modifications to the organization’s risk profile. You need to demonstrate that you’ve implemented the following:
A risk register: Risks should reside in a central repository, ideally in a GRC tool. This way, they can be tracked, reported, audited, and connected to owners, findings, and controls at all times.
A risk monitoring process: All risks have a lifecycle, typically consisting of identification, evaluation, treatment, and closure. Unmanaged risks can be detrimental to organizations, leading to prolonged open vulnerabilities, noncompliance, audit findings, and, most importantly, increased likelihood of incidents. Ownership and tracking need to be in place as part of a risk monitoring process.
Management risk reporting: Finally, risks need to be made transparent to management through designated channels (such as a risk management committee), with regular reporting of the current risk profile, new high/critical risks, overdue unmitigated risks, and other key risk indicators (KRIs).
Determine a Risk Assessment Approach
As part of Clause 6, your ISO 27001 risk assessments require an established process and an associated methodology. This is not prescriptive, as what works for one organization may not work for another. Each company needs to develop its own approach, so consider the following suggested models.
Quantitative Risk Assessment
This approach can be used to evaluate the financial dimension of risks, quantifying them based on various factors, such as:
Data from incidents that occurred within the organization
Losses reported in the press for similar risks (e.g., if you are assessing the cost of a data breach, you may look at similar industry peers that have been compromised)
Business intelligence (BI) data collected from sales to assess the costs of missed opportunities
Estimates for operational recovery
For example, let’s assume you’ve identified a risk of one of your critical third parties having downtime and not being able to fulfill their obligations to your company; in turn, this would prevent you from fulfilling commitments to your customers. Your quantitative methodology may assess impact as follows:
Lost revenue: Inability to deliver products or services during the third party’s downtime, including deferred or permanently lost sales
Contractual penalties and service credits: SLA breaches, liquidated damages, or mandatory customer refunds and credits
Increased operating costs: Manual workarounds or the cost of engaging alternative providers over time
Remediation and recovery costs: Incident response, technical recovery, customer communications, and post-incident control enhancements
Regulatory and compliance costs: Fines, supervisory fees, mandated audits, or increased capital or insurance requirements, where applicable
Insurance impacts: Deductibles, uncovered losses, premium increases, or exclusions triggered by an incident
There’s value in numbers, but numbers will typically carry a high degree of uncertainty when assessing risks that have not yet materialized. For this reason, there are alternative risk assessment approaches that may be more suitable.
Qualitative Risk Assessment
With a qualitative approach, values are assigned to various dimensions you are assessing (such as legal, compliance, reputational, market, or even financial risk). These values could range from 1 (“observed impact”) to 5 (“critical impact”), or you can use any scale that best fits the organization and its risk management framework. The likelihood of risks occurring may also be expressed as a qualitative value (e.g., “never,” “rare,” “often,” “frequent”).
Each value needs to be properly defined, as must be the potential likelihood and impact. For instance, here is a potential legend for risks that may lead to a regulatory impact:
1 (Observed): No breach of any regulations and would not draw attention from regulators
2 (Low): Limited attention from regulators
3 (Medium): Regulatory scrutiny due to noncompliance with certain provisions
4 (High): High fines and immediate regulatory action, such as audits, most likely
5 (Critical): The operating license may be revoked, and large penalties are almost certain
Hybrid Risk Assessment
As the name suggests, hybrid risk assessments combine elements of quantitative and qualitative approaches. For example, you can easily craft a classic 5×5 matrix that has an axis for likelihood (probability) and one for impact. This approach lets you combine numerical values with qualitative attributes for the impact dimensions you wish to assess.
For example, reputational losses can be evaluated from “observed” to “critical” (or from 1 to 5) based on a defined legend for each severity, while financial impact can be quantified on a scale from 1 to 5 as well but expressed in terms of P&L losses, e.g., under $10,000 = 1 (“observed”), $10,000-100,000 = 2 (“low”), and so on.
A hybrid approach can provide the best of both worlds. However, it is up to your company and its risk framework to design the most suitable risk assessment methodology.
Determine Inherent Risks
If ISO 27001 risk assessment is a new process in your organization, you may wonder about where you should look to even start collecting risks to form the baseline. If there are no current processes in place where risks are assessed (e.g., business impact analyses, new vendor onboarding, new products, etc.), you can still gather information from a variety of sources. Consider the following:
Audit findings: Any open or past audit findings can indicate deficiencies that tie back to inherent risks.
Compliance obligations: Applicable regulations mandate that companies protect themselves, their customers, and other companies from specific risks.
Incidents: Any security incidents (such as unauthorized accesses) or recurring operational issues (such as service downtimes) also point to risks that need to be registered and assessed.
Threat intelligence: Intel data can provide valuable insights into emerging threats, attack patterns, and industry concerns related to protecting against security risks.
Inherent risks are called that for a reason. Risks must first be assessed without considering existing or future controls to understand the company’s exposure, regardless of the chosen methods to deal with these risks. These are also referred to as “bare risks” or “gross risks.” A risk response is necessary for each of them and must then be developed. For those that the company wants to treat through mitigating measures, controls are applied to lower the likelihood or impact of the risk materialising. A residual risk is then calculated, and further decisions are made based on whether the risk has been lowered to an acceptable level or if additional controls are required.
Identify Mitigation Measures Based on Your Internal Control System (ICS)
As part of the risk treatment mandated by Clause 8, an organization pursuing ISO 27001 certification, or one choosing to adopt security best practices to mitigate its risks, will need to establish an internal control system (ICS) and put it into operation.
Controls are the backbone of risk management. An ICS may be built by following the ISO 27001 standard’s Annex A or by tailoring controls to best fit the company’s needs. To link controls to risks, it’s a good idea to build a Risk and Control Assessment (RCA) that serves as an internal overview of the identified risks, applicable controls, and their prioritization.
For example, suppose that you have identified four main information security inherent risks. For each of these, you decided that the risk response will be “treatment.” Consequently, controls will be implemented to ultimately reduce the inherent risk. Combining preventive and detective controls, applying them in layers (utilizing multiple controls to mitigate a single risk), and aiming to have as many automated controls as possible will provide better control effectiveness and a lower overall residual risk.
Here is an example of a risk and control assessment (RCA).
Implement a Risk Register
A risk register is a risk management tool that helps risk and control owners track, elaborate on, and report risks at various lifecycle stages. It also serves as a central tool for management to get insights into its current risk profile and potential key risk indicators.
There are several ways to approach the risk register. One traditional way is to add an entry each time a new risk is identified, whether it is through vendor assessments, incident post-mortems, control failures, regulatory noncompliance, or other means. Any such identified deficiency will be considered a standalone risk. However, this can become difficult to manage as the list grows, with numerous risks that might partially overlap key areas.
Another approach is to maintain a relatively static and concise list of risks (determined previously in the ISO 27001 risk assessment) and consider it the organization’s core list of risks—its risk taxonomy. Any new risks can be considered and referred to as “self-identified issues” (if discovered internally) or “findings” (if they result from audits). Each one of these self-identified issues or findings should be linked to one of the core list of risks, and can affect their scores when unmitigated, changing the organization’s risk profile.
Regardless of the chosen model, ensure that each entry can be linked to an owner, a risk, appropriate controls, the affected asset or process, and the associated risk calculation.
Track and Report Risk Mitigation
Open risks should be managed and tracked either centrally by a dedicated function or autonomously by each assigned risk owner. Whenever the treatment option is to mitigate the risks with additional or improved controls, action items should be defined and assigned to the right owners.
Regular reporting to internal and external bodies should occur, as required by the organization itself, ISO 27001, and potential industry regulators. For instance, ISO 27001 requires at least annual reporting of the ISMS to the management body. Internally, the organization may decide that a risk forum or committee is in order, with more frequent reporting. Thus, essential risk management information may be disseminated, such as an overview of open and overdue risks, as well as requests for decision-making, such as risk acceptance.
Simplify Risk Management Processes with AI Capabilities
Many of the steps discussed above can be automated or assisted with software to reduce overhead, inconsistency, and other issues specific to manual processes—while keeping human judgment in control of key risk decisions. Specifically:
ISO 27001 risk assessments can be executed by implementing a repeatable, automated model (qualitative, quantitative, or hybrid) in Drata’s Agentic Trust Management Platform, reducing dependence on spreadsheets and ad hoc trackers. You can use your internal controls and centralized risk register as shared data sources within Drata—linking risks to controls, evidence, dashboards, and forms for consistent reporting across frameworks.
Within Drata’s Integrated Risk Management capabilities, risk treatment activities can be quality‑checked and tracked with automated reminders to owners and stakeholders, with status and remediation updates reflected centrally in the risk register and associated controls.
Risk reports can be prepared far more efficiently by configuring automated dashboards and insights in Drata, giving management a current view of key risks, KRIs, and control effectiveness without manual data pulls.
There’s more than one way to fulfill the requirements of an ISO 27001 risk assessment. However, risk management is a continuous process that should run on reliable, integrated technology—ideally a platform that centralizes risks, controls, evidence, and reporting and uses automation and AI to keep everything current.
Takeaway
An ISO 27001 risk assessment is a key element in preparing for a certification audit, but that’s not the only benefit. A healthy organization embeds risk management processes into every business and operational activity as well as within its overall culture. Determining the types of risks, the necessary controls, and the ongoing threats and vulnerabilities for every process is a daily activity. Modern GRC platforms with embedded AI capabilities—like the Drata Agentic Trust Management Platform—augment work across security, risk, and compliance teams by reducing manual effort, keeping risk data current, and helping teams act faster with confidence.