Risk assessments remain central to ISO 27001 compliance in 2025, ensuring your ISMS (information security management system) is robust and effective. ISO 27001:2022 and ISO 27002:2022 introduced several updates that organisations should incorporate into their risk assessment processes.
Here are the seven essential steps for conducting a successful ISO 27001 risk assessment in line with current best practices.
1. Define your risk assessment methodology
ISO 27001 does not prescribe a single methodology. Rather, organisations must tailor the approach to fit their needs. Your methodology should clearly define:
- Your organisation’s context (legal, regulatory, contractual obligations, and stakeholder expectations).
- Risk criteria (how you measure risk based on impact and likelihood).
- Risk acceptance criteria (what level of residual risk your organisation is willing to accept).
Consistency and clarity in these definitions ensure reliable and comparable results across your assessments.
2. Identify and catalogue your information assets
ISO 27001 allows for asset-based or scenario-based approaches. The asset-based method is commonly recommended as it builds upon existing asset inventories.
Your asset list should include:
- Electronic and hard copy data
- Mobile devices
- Removable media
- Intellectual property and other intangible assets
Regularly updating your asset register is critical to accurately assessing risks.
3. Identify threats and vulnerabilities
For each asset, document relevant threats and vulnerabilities. Examples include:
- Theft or loss of laptops or mobile devices
- Insecure internet connections when working remotely
- Visibility of sensitive data in public spaces
Comprehensive threat and vulnerability identification ensures thorough protection against potential breaches.
4. Evaluate risks
Not all risks are equal. Use your previously defined risk criteria to assess each risk based on two dimensions:
- Likelihood (the probability of occurrence)
- Impact (potential harm or damage)
While ISO 27001 doesn’t prescribe a specific scoring method, a consistent system (such as a numerical or qualitative rating) must be applied organisation wide.
5. Determine risk treatment options
Risks can be treated through one or more of the following approaches:
- Modify the risk by implementing controls to reduce likelihood and impact.
- Retain the risk if it meets your acceptance criteria.
- Avoid the risk by changing processes or removing the risk source.
- Transfer the risk (sharing responsibility, e.g., through insurance or outsourcing).
ISO 27001 requires every identified risk to have clearly documented treatment decisions, approved by a designated risk owner.
6. Compile essential risk documentation
Documentation is crucial for ISO 27001 compliance, certification, and audits. You must produce:
- An RTP (risk treatment plan), detailing risk management actions and responsibilities.
- An SoA (statement of applicability), which must include:
- Selected security controls and justifications for their selectionImplementation status of controls
- Justifications for omitting any controls
- Clearly documented records facilitate effective audits and demonstrate compliance.
7. Regularly review, monitor and improve
ISO 27001 is built on continual improvement. Regularly reviewing your risk assessments ensures your ISMS evolves alongside your organisation and the threat landscape. Perform assessments annually or whenever significant operational changes occur.
Regular monitoring allows you to:
- Stay ahead of emerging threats
- Adjust controls based on their effectiveness
- Ensure ongoing compliance with evolving standards
Learn more about ISO 27001 risk assessments
You can learn more about each of these steps by reading Nine Steps to Success – An ISO 27001 Implementation Overview.
This concise guide helps you get to grips with the requirements of the Standard and make your ISO 27001 implementation project a success.
Written by Alan Calder, Nine Steps to Success guides you through an ISO 27001 implementation project step-by-step, covering the essential aspects, including gaining management support, scoping, planning, communication, risk assessment and documentation.
A version of this blog was originally published on 19 September 2017.
The post 7 Steps to a Successful ISO 27001 Risk Assessment – Updated for 2025 appeared first on IT Governance Blog.