CALL US TODAY : (0)20 8798 9282
ISO 27001 and risk management. I really like the fact, that ISO 27001 is based on risk assessment, and I guess I am not the only one, since the next version of ISO 9001 will also introduce risk management to replace preventive action, and there will be a focus on risk identification and mitigation (see the new ISO 9001:2015 edition).


ISO27001 International Standard specifies the requirements for establishing, implementing, maintaining and continually improving information security processes and controls systematically and consistently within the context of the organisation’s overall business risks. (see ISO)

This is, why ISO 27001 is so relevant to ALL organisations and businesses, that have information to protect. It is not a standard, that from the outset describes, what you need to protect, and how you should protect it, but a standard that asks you to first identify your valuable assets, seen in the context of the organisation and interested parties. Then make a judgement about the risk to that asset, followed by a risk treatment plan.

Let us remind ourselves, that a risk is the combination of the probability (likelihood) of an event, and its consequence (impact). Risk occurs, when a threat and a corresponding vulnerability both exist. When an asset is not vulnerable to a threat, then there is no risk.

In terms of choosing a risk management process again ISO 27001 is not prescriptive but simply require that:

You settle on a process (ISO 27005:2011 gives a lot of guidance, see figure 1) that you can repeat and that would produce comparable results
You determine what you risk appetite is
You identify risk owners
You define and apply an information security risk treatment plan

Hence the work would typically start by identifying all assets, within the information security management system (ISMS) scope in a comprehensive register. For each asset you assess the risk.

Once a risk has been assessed, the next step in the risk management process is to identify what, if any, risk treatment action to take appropriate for each of the risks, that have been identified in the risk assessment. In short you have 4 options:

Avoid (Disabling USB ports is an example)
Reduce (A firewall is an example)
Transfer (Outsourcing or buying insurance is an example)
Accept (Allowing staff to use the internet is an example)

From an ISMS perspective, the main piece of work is to reduce the risk through the design and implementation of control objectives and controls. This is basically, what your management system is about, leading to the key document called the Statement of Applicability (SoA), which is where you explain, which of the 114 annex A controls you are implementing, and which you have decided to exclude (and why). The SoA together with the scope and policy are key documents for the certification audit.

There are plenty of tools and software solutions available to help you do risk management. I like to keep it simple and use a spreadsheet, where you list the asset, you are reviewing, you describe the risk and impact to the business, you score likelihood and severity (between 1 and 5), which are multiplied to give you an overall score, and finally you define the mitigating action and you re-score.

Contact us at if you would like assistance with your risk management or ISO 27001 project.