Information Security Risk Assessment for ISO 27001
ISO 27001 Clause 6.1.2
This sub-clause requires the organisation to define and apply an information security risk assessment process to identify, analyse and evaluate risks to information.
ISO 27001 Clause 6.1.2 - Information Security Risk Assessment
The information security risk assessment is the engine that drives the rest of the management system. Every Annex A control, every supporting policy, every entry in the Statement of Applicability traces back to a decision made in the risk assessment. Clause 6.1.2 sets out what that process has to do, and Clause 6.1.3 deals with what happens to the risks once they have been identified.
What ISO 27001 Clause 6.1.2 Requires
The clause requires the organisation to define and apply a risk assessment process that establishes and maintains risk acceptance criteria and criteria for performing the assessments, makes sure repeated assessments produce consistent, valid and comparable results, identifies the information security risks, identifies the risk owners, analyses the risks, evaluates the risks, and prioritises the analysed risks for treatment.
The standard requires documented information about the risk assessment process to be retained. In practice this means a documented methodology and the records of each assessment.
Identifying Information Security Risks
The risk identification step looks at the information assets within the scope of the ISMS and identifies what could go wrong. The standard requires the assessment to identify risks associated with the loss of confidentiality, integrity and availability of information. These three properties - the so-called CIA triad - are the foundation of information security risk assessment.
Most assessments are asset-based. The starting point is the information assets register: what information does the organisation hold, where is it, who owns it. Each asset is then considered against the threats and vulnerabilities that could affect its confidentiality, integrity or availability. The output is a list of identified risks, each one associated with an asset, a threat, a vulnerability and an impact on one or more of the CIA properties.
Analysing and Evaluating the Risks
Risk analysis estimates the likelihood and consequence of each identified risk. The methodology must produce consistent, valid and comparable results - if the same risk is assessed twice, the scores should be similar. Most organisations use a simple matrix with three or five levels of likelihood and consequence, giving a score that can be sorted and prioritised.
Risk evaluation compares the analysed risks against the risk acceptance criteria. Risks that fall above the acceptance threshold are flagged for treatment. Risks that fall below it can be accepted as they are. The acceptance criteria are decided by the organisation - usually by top management - and are reviewed at management review.
Risk Owners
Each identified risk has an owner. The risk owner is the person with the authority and accountability to manage the risk. The risk owner is the one who approves the residual risk after treatment, which means they have to have enough seniority to make that call. For most information security risks the owner sits at department head level or above.
The asset list is what makes or breaks the risk assessment. If you do not know what information you hold or where it is, you cannot assess risk against it. Spend time on the asset register before worrying about risk scoring methodologies.
The CIA triad is the right starting point but it is not always equally important. For some organisations confidentiality dominates - lose customer data and the business is in serious trouble. For others availability is the main concern - the systems have to stay up. The risk acceptance criteria should reflect what the business actually cares about, not the textbook split.
I look for two things at this clause. First, that the methodology is written down and being applied consistently. Second, that the risks identified actually make sense for the business. A generic risk register with the same risks as every other organisation in the sector is a warning sign. The risks should be specific, with named assets and realistic threats.
Practical Compliance Guidance
The information security risk register is the central document for Clause 6.1.2. The methodology that defines how risks are scored and accepted lives in the management system manual or in a dedicated risk procedure. The information assets register supports the risk identification step.
The documents below cover the risk methodology, the information assets register and the risk register itself.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | Complete documentation set including the risk methodology, information assets register and information security risk register. |
| ER15 Information Security Risks Register | Risk register tailored to information security with built-in scoring for confidentiality, integrity and availability and tracking of risk owners and treatments. |
| F-IMS25 Information Assets Register | Records the information assets within the ISMS scope, used as the starting point for asset-based risk identification. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
The following UK legislation creates obligations that often appear as inputs into the information security risk assessment.
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Network and Information Systems Regulations 2018
Further Resources
- ISO 27001 Clause 6.1 - Actions to Address Risks and Opportunities
- ISO 27001 Clause 6.1.3 - Information Security Risk Treatment
- ISO 27001 Clause 8.2 - Information Security Risk Assessment
- Managing Information Security Risks
- Identifying Risks and Opportunities
- Risk Assessment - Likelihood and Consequence
