ISO 27001 Risk Assessment

An ISO 27001 Risk Assessment is a systematic process for identifying, analysing, and evaluating risks to an organisation's information security.

Clauses 6 and 8 of the Standard dictate that you must not only perform risk assessments as part of establishing and maintaining an information security management system (ISMS), but also that you must have a process for conducting said assessment to ensure consistent, valid and comparable results.

The risk assessment aims to identify potential threats and vulnerabilities to your organisation’s information assets, evaluate the likelihood and impact of these risks, and prioritise actions to mitigate or manage them.  This process ensures that security measures are proportionate to the actual risks faced, rather than being arbitrarily implemented.  Annex A of ISO 27001 has a list of controls that can be implemented to help mitigate and/or manage risks that are identified.  As such, completing an ISO 27001 risk assessment enables you to produce your Statement of Applicability (SoA), which is a mandatory requirement of the Standard.

URM’s large team of information security and risk management experts can support your ISO 27001 risk assessment and ensure it is conducted in full conformance with the Standard.  With our web-based risk assessment tool, Abriska 27001, you are guaranteed to produce a robust and repeatable risk assessment that meets the requirements of ISO 27001.

Benefits of an ISO 27001 Risk Assessment:

Enhanced Information Security: Helps your organisation identify potential vulnerabilities and address them before they can be exploited.

Conformance to ISO 27001: A risk-based approach to information security is a mandatory requirement for achieving ISO 27001 certification.

Efficient Resource Allocation: By focusing on the most significant risks, you can allocate resources more effectively.

Improved Decision-Making: Provides insights that help management make informed decisions regarding security measures and controls.

Continuous Improvement: Risk assessments are an ongoing process, enabling organisations to adapt to new threats, technologies, and changes in the business environment.

Boosts Stakeholder Confidence: Demonstrates to customers, partners, and regulators that your organisation takes information security seriously.

Workplace Culture: Drives an ‘information security first’ work environment that can improve identification and notification of new risks.

Key Steps in an ISO 27001 Risk Assessment:

ISO 27001 doesn’t define a specific methodology for risk assessments, providing you with the flexibility to choose an approach that suits your organisation.  However, the Standard does provide guidelines on key aspects that must be addressed when conducting risk assessments.

URM’s team of ISO 27001 experts can support each stage of the risk assessment, or provide assistance with particular steps or aspects.  

Define the Scope:

‍The first step is to define the scope of the risk assessment.  URM can help you identify the assets, systems, and processes that are within the boundary of the ISMS.

Establish a Risk Assessment Methodology:

• Risk Criteria: Our experts can assist you to define the criteria for assessing risks, such as acceptable levels of risk and your organisation's risk tolerance.
• Risk Scoring: We will leverage our extensive experience performing risk assessments to establish an appropriate method for scoring or ranking risks based on likelihood and impact.

Identify Risks:

We will identify the potential risks to information security within your organisation by reviewing all assets within the scope, such as data, systems, people, and facilities.  This step involves identifying:

• Threats: Potential actions or events that could exploit a vulnerability (e.g., hacking, data loss, malware).
• Vulnerabilities: Weaknesses that could be exploited by threats (e.g., unpatched software, weak access controls).

Analyse and Evaluate Risks:

Here, we use established best practice to help you understand the criticality of each risk:

• Likelihood: Assessing how likely it is that a particular risk will materialise.
• Impact: Evaluating the potential consequences if the risk were to occur (e.g., financial loss, reputational damage).
• Risk Level: Combining the likelihood and impact to calculate the overall risk level for each threat-vulnerability pair.

Select Risk Treatment Options:

There are a range of risk treatment options available, and URM’s information security expert will help you select the most appropriate approach:

• Mitigation: Implementing security controls to reduce the risk (e.g., firewalls, encryption, training).
• Acceptance: Accepting the risk if it's within the organisation’s risk tolerance.
• Transfer: Transferring the risk to a third party (e.g., insurance).
• Avoidance: Eliminating the risk by discontinuing risky activities or assets.

Implement Controls:

‍For the risks you have chosen to mitigate, URM can help you select and implement the necessary controls.  ISO 27001’s Annex A provides a list of 93 controls that can be applied, covering areas such as access control, physical security, incident management, and more.  Note: This list of controls is not exhaustive and additional controls can be used in combination with the controls identified in Annex A.

Document the Risk Assessment Results:

URM will ensure all findings, decisions, and treatments are well-documented to demonstrate conformance ISO 27001 and support future audits.

Monitor and Review:

‍Risk assessments must be periodically revisited.   URM will offer you detailed advice and guidance in performing ongoing monitoring, which ensures that any changes in the threat landscape, organisation, or technology are considered and managed appropriately.

Our Approach

ISO 27001 is fundamentally a risk-based standard, where you can identify the risks that are specific to your organisation’s information assets and how best to treat them based on your risk appetite.  Utilising its ISO 27001 proven risk assessment tool Abriska, URM can assist you not just in identifying the threats to your information assets, but determining the likelihood and impact of them occurring.  Once you have identified your greatest risks, you are then able to prioritise your risk treatment activities and maximise your time, effort and budget.  With Abriska, you will also be able to run all the necessary (ISO 27001) reports, including mandatory documents such as the (SoA), risk register and risk treatment plan (RTP). The software tool is fully compatible with the 2022 version of the Standard, is populated with all the new controls and offers a variety of transition options.

Why URM for ISO 27001?

Risk management expertise

Getting the assessment and management of information security risk right is critical. It is also an area where URM excels and where clients can take advantage of URM’s in-house risk management module, Abriska, with its robust and proven risk assessment methodology and the extensive experience and expertise of its ISO 27001 consultants.

Achieving optimum balance

When helping develop your ISMS, URM’s goal is to achieve the optimum balance between meeting the mandatory management system requirements of ISO 27001 and ensuring your management system is fully sustainable and tailored to your organisation’s size, culture and business objectives.

Track record

URM has an unparalleled track record of assisting over 400 organisations to achieve and maintain ISO 27001 certification and is proud to have never been involved in a failed certification project.  Our clients have ranged in size from micro businesses to multinationals and come from a diverse range of market sectors and, due to our tailored approach, every one of the 350+implemented ISMS’ has been different.

Practice what we preach

URM has been certified to ISO 27001 ever since the Standard was first introduced in 2005.  Furthermore, it became one of the UK’s first organisations to transition to ISO 27001:2022 in April 2023.  The experiences gained in maintaining and transitioning certification helps to ensure our consultancy and training services remain current and relevant.

We aim to give you the knowledge and tools you require to implement, establish, maintain and manage your ISMS.