ISO 27001 clauses 6.1.2 and 6.1.3 require organisations to define a risk assessment process, execute it, and document treatment decisions. Clause 6.1.3(d) specifically requires a Statement of Applicability listing all Annex A controls with justifications for inclusion or exclusion. Clause 8.2 requires that risk assessments are performed at planned intervals or when significant changes occur.
Most organisations understand the requirement. What they struggle with is the practical execution — the actual spreadsheets, scoring calibrations, treatment workflows, and evidence trail that auditors evaluate during certification.
This guide walks through the complete risk assessment lifecycle and shows where templates, automation, and tooling eliminate the manual work that makes the process painful.
The Risk Assessment Lifecycle
A compliant ISO 27001 risk assessment is not a single document. It is a connected workflow producing multiple deliverables that reference each other.
The core chain: Methodology → Identification → Scoring → Treatment → SoA → Report → Review. Each stage produces documentation that the next stage consumes.
The methodology defines how you score risks. Identification produces the risk register. Scoring applies the methodology to each risk. Treatment documents what you will do about risks above your appetite threshold. The Statement of Applicability maps identified risks and treatments to Annex A controls. The report summarises findings for management review. The review cycle ensures the program stays current.
Break any link in this chain and you create an audit finding.
Defining Your Methodology
The methodology document is the foundation. Auditors read it first because it tells them the rules you committed to follow — they then check whether you actually followed them.
A defensible methodology needs five components: a scoring scale with calibrated definitions, risk appetite thresholds, roles and responsibilities, assessment triggers, and a review cycle.
Scoring Scale
The 5×5 likelihood-impact matrix is the industry standard for qualitative risk assessment. It works because it is simple enough for non-technical participants to use in workshop settings while producing sufficient granularity for meaningful prioritisation.
The critical detail most templates miss is calibration. A likelihood score of 3 (“Possible”) means nothing unless you define what makes something “possible” for your organisation. Calibrated anchors tie abstract scores to concrete questions: “Has this occurred at comparable organisations in the last 3-5 years?” gives workshop participants a testable criterion rather than a subjective guess.
Impact calibration requires financial and operational anchors: a score of 3 (“Moderate”) maps to “$100K-$500K loss or 1-3 days downtime.” Without these anchors, two assessors will score the same risk differently and neither can explain why.
Risk Velocity
Standard 5×5 matrices capture likelihood and impact but miss a third dimension: how fast a risk materialises once it occurs. A ransomware attack impacts the organisation within hours. A compliance gap might take months to result in enforcement action. Both could have identical likelihood-impact scores, but they demand fundamentally different response postures.
Adding a velocity indicator — Rapid (hours to days), Fast (days to weeks), Moderate (weeks to months), Slow (months or more) — provides the secondary prioritisation that pure score-based ranking cannot. When two risks share the same residual score, velocity determines which gets attention first.
Risk Appetite
Risk appetite must be quantified, not aspirational. “The organisation has a low appetite for cyber risk” is not actionable. “The organisation accepts residual risk scores of 8 or below without treatment. Scores 9-15 require documented treatment plans with assigned owners. Scores 16 or above require board-level acceptance or immediate mitigation” — that is auditable.
Building the Risk Register
The risk register is the central artefact. Everything else references it.
Identification
Risk identification through a blank text field produces inconsistent, incomplete results. A structured risk library — pre-defined risks mapped to ISO 27001 Annex A controls and NIST CSF functions — gives workshop participants a starting point they can confirm, reject, or extend.
Industry-specific pre-selection accelerates the process further. A healthcare organisation faces different risk priorities than a technology startup. Pre-selecting the 15-20 risks most relevant to the organisation’s sector and size, then letting participants modify the selection, cuts identification time significantly while improving coverage.
Scoring
Run scoring in a facilitated workshop, not as a solo exercise. When the CISO scores every risk alone, auditors question whether the assessment reflects organisational understanding or individual bias. Workshop-based scoring with 4-8 participants from different business functions produces defensible results and creates shared ownership of the risk profile.
The scoring session should present each risk with its calibration anchors visible. Participants score likelihood and impact independently, then discuss disagreements. Where scores diverge by more than 1 point, the discussion itself is valuable — it surfaces assumptions that individual scoring would miss.
Control Assessment and Residual Scoring
After inherent scoring, assess existing controls against each risk. Binary “control exists / doesn’t exist” assessments are insufficient. A control effectiveness scale — Strong (fully implemented, tested, monitored), Moderate (implemented but not fully tested), Weak (partially implemented), None — feeds a structured residual calculation.
With effectiveness ratings, residual scores can be auto-calculated rather than manually guessed. If a risk has inherent likelihood 4 and 3 of 4 recommended controls are rated Strong, the tool can suggest a residual likelihood of 2 with a documented methodology the assessor can override. This replaces “pick a number” with “validate a calculation.”
Treatment Planning
Every risk above the appetite threshold requires a documented treatment decision: Mitigate, Transfer, Accept, or Avoid. Each option requires different documentation.
Mitigation plans need: the specific controls being implemented, the responsible owner, the target completion date, success criteria, and the projected residual score after implementation. Transfer plans (typically insurance) need: the transfer mechanism, what is and is not covered, and the residual risk the organisation retains. Acceptance decisions need: the business justification, the accepting authority, review conditions, and an expiry date.
Statement of Applicability
The SoA is the single most audited document in an ISO 27001 certification. It lists all 93 Annex A controls with three fields per control: applicable or excluded, implementation status, and justification.
The justification field is where most organisations fail. “Not applicable” without explanation is an automatic audit finding. Every excluded control needs a documented rationale linked to the risk assessment: “Control A.8.25 (Secure development life cycle) excluded — the organisation does not develop software. Risk assessment does not identify software development risks.”
For applicable controls, link the justification to specific identified risks: “Control A.5.24 (Incident management planning) applicable — addresses RISK-019 (No Tested IR Plan) and RISK-020 (Insufficient Evidence Preservation).”
Scenario Modelling
Before committing budget to treatment plans, model the impact. If you implement MFA across all systems, which risks does it affect and by how much? If you deploy EDR, what is the projected portfolio reduction?
Scenario modelling transforms the risk register from a compliance artefact into a decision-support tool. Instead of presenting the board with “we have 4 Critical risks,” you present “implementing these 2 controls reduces Critical risks from 4 to 1 and costs $X — here is the before and after.”
Board Reporting
Boards do not read risk registers. They read 5-slide presentations with three hero metrics, a heat map, and a recommendation. The quarterly risk report needs: current risk profile summary (total risks, critical/high counts, average score), movement since last assessment (new risks, score changes, treatments completed), appetite compliance status (how many risks breach thresholds), top risks requiring attention, and resource requests for treatment plans.
Automating this export from the risk register data eliminates the 2-4 hours GRC managers spend manually building board decks every quarter.
Evidence and Review
Auditors check two things beyond the documents themselves: evidence that the assessment was actually performed (meeting minutes, attendance records, scoring worksheets), and evidence that the program operates on a cycle (review dates, change logs, trend comparisons across assessment periods).
An evidence matrix tracking which risks have documented evidence, which have gaps, and which are due for review provides the oversight view that keeps the program audit-ready between assessment cycles.
Tooling Options
At the template level, the minimum viable risk program requires: a methodology document, a risk register workbook with auto-scoring, a treatment plan template, a Statement of Applicability workbook, and a reporting template. Excel handles the quantitative work (scoring, heat maps, dashboards). Word handles the narrative documentation (methodology, treatment plans, reports).
For organisations that want guided workflow automation without SaaS platform costs, browser-based tools that run locally can automate the identification-scoring-controls-SoA chain while producing the same Excel and Word outputs that auditors expect. The key advantage is workflow guidance — the tool walks assessors through each step rather than presenting blank templates.
The decision point between templates and platforms is volume. Under 200 risks, well-structured Excel workbooks with formula automation are appropriate and auditor-accepted. Above 200 risks or with multiple business units running separate registers, a GRC platform starts justifying its cost.
Getting Started
If you are running your first ISO 27001 risk assessment, start with the methodology. Get the scoring calibration right before you identify a single risk. Then run identification with a structured library rather than a blank page. Score in a workshop. Document treatments for everything above appetite. Complete the SoA last — it is the summary of everything before it.
The complete cycle — methodology through board report — takes 2-8 weeks for a first assessment depending on organisation size. Subsequent review cycles are faster because you are updating an existing register rather than building from scratch.
The deliverables from this process directly satisfy ISO 27001 clauses 6.1.2, 6.1.3, 8.2, 8.3, and the Statement of Applicability requirement. They also map to NIST CSF 2.0 GV.RM (Risk Management Strategy) and ID.RA (Risk Assessment), CIS Controls v8 Safeguard 17.1-17.9, and ISO 31000 risk management principles.
Related Reading
- Risk Management Program: Assessment, BIA & Vendor Risk
- Cross-Mapping NIST, ISO & CIS Frameworks
- Security Policy Documentation: Enterprise Quality
Risk Management Toolkit
Desktop risk management application with AI-powered risk assessment, business impact analysis, vendor risk management, and scenario modelling. 6 AI providers, 20 professional documents, 12 framework mappings, 10 export formats — the full risk lifecycle in one installed application.
Implementation Services
Need this customised to your organisation?
We'll customise any product to your organisation and deliver in 1–2 weeks. Fixed price, fully async. You review it, your team runs it.
Foundation $1,997 · Toolkit $2,997 · Suite $5,997 · Program $8,997
Get compliance insights and product updates
Product launches only · No spam · Unsubscribe anytime