This article covers 8 points on how to create an ISO 27001 risk assessment:
- What ISO 27001 requires for risk assessment (clause 6.1.2)
- Recommended methodology: ISO 27005 and good practice
- Step-by-step process to create the assessment
- How to document and maintain the assessment
- Common mistakes
- How PrivaLex can help
- Frequently asked questions
- Next step
Creating a risk assessment under ISO 27001 is one of the cornerstones of a solid information security management system (ISMS). The standard does not prescribe a single method, but it does require the process to be consistent, documented and reviewed periodically.
This guide explains how to create an ISO 27001 risk assessment in practice: what clause 6.1.2 requires, which methodology to use and how to document it.
At PrivaLex Partners we help organisations design and implement the risk assessment process efficiently, from methodology to risk treatment and the documentation required for certification. If you are preparing for obtain ISO 27001 certification or want to align your ISMS with the standard, this guide gives you the roadmap.
What ISO 27001 Requires for Risk Assessment (Clause 6.1.2)
Requirements of clause 6.1.2
Clause 6.1.2 of ISO 27001 requires the organisation to identify, assess and treat information security risks systematically. Listing threats is not enough: you must define criteria for risk assessment and acceptance, ensure assessments are consistent and comparable over time, and assign responsibilities.
What the assessment must cover
The standard requires you to identify risks that threaten the confidentiality, integrity and availability of information within the scope of the ISMS; to assess consequences, likelihood and risk level; and to prioritise according to the criteria defined. A coherent risk assessment is the compass of your security: without it, you are navigating blind.
ISO standards and a well-designed information security management system (ISMS) rely on this process.
Recommended Methodology: ISO 27005 and Good Practice
The ISO 27005 cycle
Although ISO 27001 sets out what must be achieved, ISO 27005 provides more concrete guidance on how. This standard proposes a continuous cycle with clear stages: establish the context of risk, identify risks, analyse and assess (likelihood and impact), treat risks (mitigate, transfer, accept, avoid), accept residual risks in a documented way, and communicate, review and monitor.
Practical application
ISO 27005 turns ISO 27001 risk theory into real action. You can adapt the scales and criteria to your size and sector; what matters is that the methodology is documented and applied consistently. Cybersecurity and risk management are the foundation on which the rest of Annex A controls are built.
Step-by-Step Process to Create the Assessment
Although the approach should adapt to your organisation, this process serves as a general guide for how to create an ISO 27001 risk assessment:
Define methodology and context
- Define the methodology: assessment and acceptance criteria, scales for likelihood and impact, roles (who assesses, who approves), frequency of reviews. Document everything in an internal procedure or guide.
- Identify key assets within the scope of the ISMS and combine them with threats and vulnerabilities relevant to your context.
Assess, prioritise and treat
- Assess the likelihood and impact of each risk (by asset or by process, depending on your approach).
- Calculate the risk level (e.g. likelihood × impact) and prioritise according to your risk tolerance.
- Prepare a treatment plan: which controls to implement, who is responsible and deadlines. Controls can come from Annex A of ISO 27001 or from sector good practice.
Document and review
- Document everything in the risk assessment report and link the results to the Statement of Applicability (SoA).
- Review periodically and update the assessment when things change (new systems, incidents, regulatory or business changes).
How to Document and Maintain the Assessment
Content of the assessment report
The risk assessment must be recorded in a report (or set of documents) that includes: scope, methodology used, assessment and acceptance criteria, list of risks identified with level and treatment, treatment plan with owners and dates, and approval by management or the ISMS owner.
The Statement of Applicability reflects which Annex A controls you apply and why (based on the risks); it must be aligned with the risk report.
Maintenance and reviews
Maintaining the assessment means reviewing it at least annually or when significant changes occur (new projects, incidents, regulatory changes). Without periodic reviews, the ISMS becomes outdated and certification or internal audit may find deviations.
The risk assessment under ISO 27001 is not an end in itself but a strategic tool that helps you anticipate, respond and strengthen yourself against real vulnerabilities.
Mistakes That Can Undermine Your Risk Assessment
Not defining criteria or methodology in writing
Not defining criteria or methodology in writing. If each assessment uses different scales or criteria, results are not comparable and the auditor will detect inconsistencies. Document the methodology and use it consistently.
Assessing once and never reviewing
Assessing once and never reviewing. ISO 27001 requires the assessment to be kept up to date. Not reviewing when things change or not scheduling periodic reviews weakens the ISMS and can lead to non-conformities.
Not linking risks to the treatment plan and the SoA
Not linking risks to the treatment plan and the SoA. Identified risks must translate into controls (Annex A or equivalent) and into the Statement of Applicability. If the risk report and the SoA are not aligned, the auditor will notice.
Improvising without assigned responsibility
Improvising without assigned responsibility. Assign owners for the assessment, for approval of residual risk and for monitoring the treatment plan. Without a clear owner, the process drifts.
How PrivaLex Can Help You Create an ISO 27001 Risk Assessment
What we do
At PrivaLex Partners we help organisations design and implement the risk assessment process efficiently and rigorously. We support you on methodology (criteria, scales, use of ISO 27005), on identification and assessment of risks, on the treatment plan and on the documentation needed for the ISMS and certification.
Why PrivaLex
With experience in Nis2 and in GDPR audit and cybersecurity projects, we integrate the risk assessment into a broader framework when your organisation combines several compliance frameworks. We do not sell software: we provide expertise, experience and direct support so that your security is not complex, but effective.
Schedule a strategic session with PrivaLex and design your ISO 27001 risk assessment with clarity.
Frequently Asked Questions (FAQs)
How do I create an ISO 27001 risk assessment in practice?
Define a documented methodology (criteria, scales, roles, frequency); identify assets, threats and vulnerabilities within the scope of the ISMS; assess likelihood and impact and calculate risk level; prioritise and prepare a treatment plan; document everything in a report and link it to the Statement of Applicability; review periodically and when things change.
ISO 27005 is a useful guide for the process.
Do I have to use ISO 27005 for risk assessment in ISO 27001?
No. ISO 27001 requires the assessment to be systematic and documented (clause 6.1.2), but it does not mandate a specific methodology. ISO 27005 is a recommended standard that many organisations use because of its alignment with the standard. You can use another methodology as long as it meets the requirements of 6.1.2 and is documented.
How often should I review the ISO 27001 risk assessment?
The standard requires the assessment to be maintained and updated when relevant changes occur (technological, organisational, regulatory or business). In practice, it is common to review it at least once a year and whenever a major incident or a change affecting scope or risks occurs.
The certification audit will check that a defined and applied review process exists.
What is the relationship between the risk assessment and the Statement of Applicability (SoA)?
The SoA states which controls from Annex A of ISO 27001 you apply and why (or why you do not apply some). It must be justified by the risks identified in the assessment: prioritised risks are addressed with specific controls, and the SoA reflects that decision.
Risk report and SoA must be aligned and consistent for an audit.
Can PrivaLex help me create and document my ISO 27001 risk assessment?
Yes. PrivaLex helps you design the methodology (criteria, scales, use of ISO 27005), carry out risk identification and assessment, prepare the treatment plan and document the report and its link to the SoA.
We support you from process design to documentation ready for audit or certification.
Next step
Your next step
Knowing how to create an ISO 27001 risk assessment is the first step to having a solid, risk-driven ISMS. The next is to define your methodology, run the assessment and document it so it stands up to audit.
Schedule a strategic session with PrivaLex and turn the risk assessment into the foundation of your security.
