Published on: May 10, 2017
How to Perform an ISO 27001 Risk Analysis
Performing a risk assessment is a central part of the ISO 27001 process directed to implementing an ISMS (Information Security Management System). How could you protect any sort of environment without being fully aware of impending threats, the exposition level, and variables such as the likelihood of occurrence and estimated level of impact?
Understanding all those factors and how they compare to the risk appetite of your company is a complex job, but it should enable you to select proper controls, based not on guesswork, but on empirical evidence. This process results in not only ineffective protection but also a cost-effective approach: It allows you to direct your efforts and resources to implement countermeasures that are fit to your specific scenario, protecting what really matters. At the end of the day that is what security is all about.
Before performing a risk assessment, a few questions must be answered:
What is the best risk assessment method?
What tasks are necessary?
What should be the final product?
What should I do after the risk assessment?
The answer to all those questions is addressed by ISO 27001, the process itself is quite simple:
Step 1: Understanding Your Context
A common mistake in first-time assessments is treating all assets and information with the same protection level. ISO 27001 emphasizes the importance of aligning your risk assessment to business context and objectives. Good security management means organizations are protecting what really matters to your organization.
To begin to understand the context around each asset, start by defining:
ISMS Scope – Which processes, departments, or locations are covered?
Purpose of risk management – Compliance with regulations (e.g., GDPR, SOX), customer requirements, or internal goals.
Risk evaluation criteria – How risks will be scored, compared, and prioritized.
Every organization’s context is unique. By clearly defining boundaries, you avoid over-securing low-value assets and ensure focus on what truly impacts confidentiality, integrity, and availability (the CIA triad).
Step 2: Risk Identification
Risk identification begins with listing all assets in scope and understanding the threats, vulnerabilities, and potential impacts that apply to them.
A practical approach is identifying all assets that fall within your scope and ensure you have sufficient information for a proper analysis. Again, this is a context driven action, but some basic information may include the type of asset, its owner and the value it represents for your company.
Key tasks in the risk identification process:
Asset inventory – Identify information assets (data, applications, infrastructure, people, processes). Capture owner, classification, and business value.
Threats and sources – Consider adversarial (hackers, insiders), accidental (human error), structural (system failure), and environmental (natural disasters, power outages).
Vulnerabilities – Look for weaknesses such as misconfigurations, unpatched systems, lack of training, or inadequate physical safeguards.
Existing controls – Document safeguards already in place (firewalls, encryption, training programs). Verify they function as intended to avoid a false sense of security.
Potential impacts – Define consequences of a security event (financial loss, downtime, regulatory fines, reputational harm).
Tip: Using a risk register is the best way to capture and track identified risks. It ensures consistency, accountability, and provides evidence during audits.
ISO also recommends multiple methods for risk identification, including:
Asset-based analysis
Scenario-based analysis (using workshops, interviews, or incident history)
You can gather this information from incident reports, talking with asset owners, or even using threat catalogues. Using a professional risk assessment tool can be quite effective and streamline the process.
With StandardFusion's all-in-one GRC software, you can streamline risk identification using built-in asset templates mapped to 170+ common threats, enabling faster and more accurate assessments. It supports both asset-based and scenario-based risk methodologies.
Step 3: Risk Analysis
After identifying risks, the next step is to determine their severity by analyzing both the likelihood of occurrence and the potential impact on your organization. Risk analysis transforms a long list of identified risks into actionable insights, enabling leaders to prioritize what matters most.
Defining Risk Criteria
Before analysis begins, use the risk evaluation criteria established in Step 1. This ensures your scoring aligns with business objectives and avoids ad hoc or inconsistent assessments. ISO 27005 emphasizes that risk analysis should always be tied back to these criteria.
Qualitative Risk Analysis
The most common approach in ISO 27001 assessments is qualitative analysis, which uses descriptive categories to rate risks:
Likelihood scale: Rare, Unlikely, Possible, Likely, Almost Certain
Impact scale: Insignificant, Minor, Moderate, Major, Severe
The results are often presented in a risk matrix, where risks are plotted on a grid to visualize which ones require urgent treatment. While subjective, qualitative analysis is flexible and sufficient for most organizations, especially when combined with expert judgment and incident data.
Quantitative Risk Analysis
In environments where data is available, a quantitative approach may be used. This involves assigning numerical values to both likelihood and impact, often expressed in terms of:
Annualized Loss Expectancy (ALE)
Single Loss Expectancy (SLE)
Probability of occurrence
Quantitative analysis is more precise and less subjective but can be time-consuming and heavily dependent on reliable historical data.
Semi-Quantitative Methods
Many organizations use a hybrid (semi-quantitative) approach, converting descriptive categories into numerical values (e.g., “Low = 1, Medium = 2, High = 3”) to make risk comparisons easier. This provides a balance between simplicity and measurable results.
Risk Interdependencies
Another aspect often overlooked is the interdependency of risks. For example, a power outage (environmental threat) may also increase the likelihood of data corruption (structural threat). Considering these cascading effects provides a more realistic picture.
Outputs of Risk Analysis
By the end of this stage, you should have:
A risk score (qualitative or quantitative) for each identified risk.
A risk matrix or ranking showing high, medium, and low priorities.
Evidence that demonstrates how scores were derived (essential for ISO 27001 audits).
Input for Step 4: risk evaluation, where risks are compared against the organization’s risk appetite and tolerance.
Step 4: Risk Evaluation
At this stage of the ISO 27001 risk assessment, you’ve already identified and analyzed risks. The next step is to evaluate them against your organization’s defined risk criteria and decide which require action. Risk evaluation ensures that limited resources are focused on the risks that truly matter to your business.
Applying Risk Acceptance Criteria
ISO 27001 requires organizations to define risk acceptance criteria during Step 1. These criteria specify what level of risk is tolerable and what must be treated. For example:
Low-level risks – Can be accepted without further action.
Medium-level risks – May require monitoring or limited treatment.
High and critical risks – Must be addressed through a formal Risk Treatment Plan (RTP).
The evaluation step bridges the gap between analysis outputs (risk scores) and management decisions (how to treat or accept risks).
Risk Appetite vs. Risk Tolerance
Two important concepts help guide decisions:
Risk appetite – The overall amount and type of risk your organization is willing to pursue or accept in pursuit of objectives.
Risk tolerance – The acceptable variation around objectives, or the “limits” beyond which risks must be escalated.
For example, your organization may have an appetite for moderate financial risk but zero tolerance for risks that compromise customer data confidentiality. Understanding this distinction helps make consistent and defensible decisions.
Prioritization of Risks
Not all risks are created equal. After comparing scores to acceptance criteria, risks should be prioritized. A typical scale might include:
Critical risks – Immediate treatment required; may halt operations if left unaddressed.
High risks – Require treatment planning within a short timeframe.
Medium risks – May be treated or monitored based on resources.
Low risks – Acceptable with no further action.
Risk prioritization helps align treatment with business objectives and regulatory requirements, ensuring that critical risks do not get buried in a long list of minor issues.
Treatment Options (ISO 27005 Guidance)
For risks that exceed acceptance criteria, ISO 27005 outlines four main treatment strategies:
Reduce (mitigate) – Implement new or stronger controls to lower likelihood or impact.
Avoid – Change processes or eliminate activities that create the risk.
Transfer (share) – Shift risk to another party (e.g., insurance, outsourcing).
Accept – Formally acknowledge and accept the risk without additional treatment.
The chosen option must be documented in the Risk Treatment Plan, which becomes a core deliverable for ISO 27001 compliance.
Outputs of Risk Evaluation
By the end of Step 4, you should have:
A prioritized risk register, showing which risks are accepted, monitored, or treated.
Documentation demonstrating alignment with your organization’s risk criteria.
A list of risks requiring treatment, which forms the basis of the Risk Treatment Plan.
Clear evidence for auditors showing how risk decisions were made.
Continuous Review
It’s important to remember that risk evaluation is not a one-time exercise. Business processes, technology, and threats evolve constantly. ISO 27001 requires that risk evaluation be repeated regularly or when major changes occur (e.g., system upgrades, acquisitions, regulatory changes).
Next steps include:
Developing a Risk Treatment Plan (RTP) – Define how risks will be addressed and assign responsibility.
Updating the Statement of Applicability (SoA) – Document which ISO 27001 Annex A controls are implemented and why.
Maintaining the risk register – Track new risks and monitor changes over time.
Ongoing monitoring and review – ISO 27001 requires continuous evaluation of risks to ensure the ISMS stays effective.
Final Thoughts
An ISO 27001 risk analysis is more than a compliance exercise, it ensures security resources are allocated where they matter most. By following this 4-step approach, organizations gain clarity on threats, vulnerabilities, and business impacts, setting the stage for informed decision-making and stronger resilience.
