ISO 27001 – Risk Management

Guide to ISO 27001_part 5_risk management

There are many ways to approach risk management. When it comes to implementing an ISO 27001 compliant information security management system, controls are deployed using a risk-based approach. All the topics discussed in the first half of our guide, from the mandatory standard clauses to stakeholder communication, are directly linked to risk management.

In part 5 of our Guide to ISO 27001 Compliance, we are jumping straight into the risk management processes: identifying the necessary documentation, exploring risk analysis, and continuous monitoring of threats.

A Risk-Based Approach

Before we begin, let’s take one step back to explain what we mean by taking a risk-based approach (RBA) to information security risk and compliance:

Considering the rapid advancements in technology, regulators are continuously playing catchup. If regulators provide specific compliance requirements, companies will often enact measures that only satisfy those criteria. As opposed to creating a comprehensive, scalable, and resilient ISMS – companies are in essence doing the bare minimum.

With a RBA, companies bypass the need for an in-depth assessment and analysis of every new threat, and instead introduce a systematic way of thinking by actively trying to consider new risk avenues and taking preventative action. RBA boils down to allocating more resources to risks that could have a greater impact on your organization.

Risk Management Process

When it comes to the risk management process, the most important takeaway from this article would be:

Your approach must always be commensurate with the risk.

The first step in the process would be documenting your risk management approach as a set of actions that will guide you through the steps below.

Risk Identification

You must list the external and internal factors that represent threats to your Information Security Management System (ISMS). The risk identification will be focused on how these factors would impact your information assets.

Risk Analysis

Once the risks are identified, you must determine the likelihood and impact of each risk. You can assign numerical values for different levels of effects, which will help with containment and prioritization.

Risk Treatment

Each risk must be associated with controls that can be used to mitigate its impacts. In case such a control is not yet available, an action plan must be documented as a response to that risk.

Monitoring & Review

The steps above must be documented. It is your Risk Management Assessment Process that will be used to analyze the threats to your ISMS.

The ISMS risk analysis must be performed annually or reviewed every time there is a substantial change to your assets, controls, and processes.

Risk Definition and Treatment

An industry accepted risks definition approach is based on criticality:

CriticalA risk with catastrophic impact in all or many assets.
HighA risk that is likely to have a significant impact on information assets or users.
MediumA risk with impact in a small number of assets that should be mitigated soon.
LowA risk that is difficult to identify or exploit or only affects a small number of assets.

After defining the risk criticality, the treatment options must be exercised:


  • The acceptance of identified residual risks


  • Risk mitigation strategies involve reducing any risk found in physical, technical, or administrative systems or controls by taking action.


  • Risk avoidance strategies involve removing any compromised assets.


  • Assign the risk to another party.


  • It is possible to share the risks with third parties by assigning informational assets components or certain processing activities to external stakeholders.

Managing Your Risk

Implementing an ISO 27001 compliant ISMS requires alignment on multiple fronts, including having a risk-based approach to compliance. To satisfy ISO 27001 requirements, your Information Security Management documentation must include a comprehensive process to identify, assess, monitor, and treat risks. As risk continues to evolve, teams will need to continuously reassess the risks facing their organization to keep control and prevent any incidents that may compromise existing systems, assets and data.

Next in our guide to ISO 27001 Compliance, we will be taking an in-depth look at Annex A, and how to define your controls in order to satisfy compliance requirements.

How Can StandardFusion Help?

With StandardFusion, you can manage both ISO 27001 an. With our software, you can create your risk analysis from the ground up and develop your risk register as your ISMS matures. You can leverage the ability to build lists of threats and associate them to your assets, or easily import your pre-defined threats from an existing system. Administrators can customize the system’s risk analysis methodology to automatically categorize risks as they are defined. After identifying vulnerabilities, users can quickly implement risk-mitigating controls and policies t and establish action plans as tasks for improved ownership and governance. See how simple risk management can be with StandardFusion and connect with our team for a demo!

Guide to ISO 27001

Part 1 – Implementation & Leadership Support
Part 2 – Establishing Scope and Creating the Statement of Applicability
Part 3 – Mandatory Clauses
Part 4 – Understanding & Communicating with Stakeholders
Part 5 – Risk Management
Part 6 – Defining Controls
Part 7 – Competence, Training and Awareness
Part 8 – Monitoring Efficacy & Continuous Improvement