In Part 4 we introduced a key implementation recommendation: bring Annex A controls forward early in the implementation process and use it as a discovery tool rather than treating it as a checklist applied at the end.
This early control visibility now becomes a critical input into the formal risk management activities required by ISO 27001 and guided by ISO 27005.
In this article we build on that foundation and explain how to design and execute a risk management process aligned with ISO/IEC 27005, while fully satisfying the mandatory requirements of ISO/IEC 27001:2022. The objective is to help organisations connect controls, risks, and governance decisions in a way that is:
✓ Structured
✓ Non-duplicative
✓ Audit-ready
✓ Operationally sustainable
Many organisations struggle with this connection. ISO 27001 (Clause 6.1) defines what must be achieved regarding risk management, but provides limited implementation guidance. ISO 27005 fills this gap with a structured methodology, though many organisations find it difficult to operationalise without a practical implementation approach.
This Part 5 bridges these standards, providing a practical, step-by-step approach that transforms risk management from a compliance exercise into a strategic business process. We'll show you how your early Annex A review feeds into risk assessment, how the risk register informs control selection, and how everything culminates in a justified, auditable Statement of Applicability (SoA).
ISO/IEC 27001 tells organisations what must be achieved, but it deliberately avoids prescribing how to perform risk management in detail.
That "how" is provided by ISO/IEC 27005, which:
Using ISO 27005 alongside ISO 27001 ensures that risk management is:
✓ Repeatable
✓ Defensible
✓ Consistent across the ISMS lifecycle
ISO 27001 defines what must be done but provides minimal guidance on how to do it. For example, it requires you to "assess potential consequences" but doesn't specify methodology, scales, or techniques.
Before performing any risk management activities, ISO 27001 requires that the context and framework of the ISMS are clearly established.
At this stage, the following documentation must already exist:
These documents define:
Without this foundation, risk assessments often become inconsistent, difficult to justify, and challenging to govern effectively.
It's important to highlight the difference between these two concepts:
Risk Management Process (per ISO 27005): The systematic application of management policies, procedures, and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring, and reviewing risk.
Risk Assessment: The overall process of risk identification, risk analysis, and risk evaluation — a specific component within the broader risk management process.
Before risks can be properly evaluated, organisations need visibility into their current control environment.
As introduced in Part 4, Cycubix intentionally performs an Annex A Gap Assessment early in the implementation.
This gap assessment serves as a control discovery and readiness exercise rather than a formal risk assessment.
Its Purpose:
✓ Identify existing controls (formal and informal)
✓ Assess control maturity and evidence
✓ Highlight missing or weak controls
✓ Inform later stages of risk identification and treatment
Importantly, the gap assessment is iterative. As risks are treated and controls mature, the gap analysis is continuously updated to reflect the current state of implementation.
Once the context is established and control visibility is achieved, the organisation proceeds with the risk assessment activities defined within the broader ISO 27005 risk management process.
Supporting documentation includes:
During this phase:
The output is a structured set of information security risks, each with a clearly defined context.
Using the Information Risk Register, each identified risk is:
This step determines whether a risk:
For risks that are not acceptable, ISO 27005 defines four treatment options:
If a risk remains unacceptable after treatment, the organisation must:
Doing nothing is not an option under ISO 27001.
When a risk is accepted, it enters a monitoring and review loop.
Risk management is not a one-time activity. It is continuously informed by:
This feedback loop ensures alignment with the Plan–Do–Check–Act (PDCA) cycle at the core of ISO 27001.
Once risks are evaluated and treatment decisions are made, the outputs must be formally documented and maintained within the ISMS.
A common implementation challenge is document overlap. Cycubix avoids this by assigning one clear purpose to each document:
Identifies which risks exist and which controls are necessary.
Declares which Annex A controls are selected or excluded, and why.
Assesses how mature and effective the selected controls are.
Together, they form a coherent and traceable system:
By explicitly connecting ISO 27001 and ISO 27005, organisations can move beyond checkbox compliance and toward risk-driven, business-aligned security governance.
An effective ISO 27001 implementation depends on treating risk management as a continuous governance process rather than a one-time compliance activity.
In Parts 6 and 7, we will walk through Cycubix's six-step risk assessment approach in practice — breaking down the methodology, required documentation, and decision-making process behind risk identification, evaluation, and treatment. We will show how to translate risk decisions into actionable controls, closing the loop between risk identification, treatment planning, and real-world execution.
The Cycubix team can help you align ISO 27001 and ISO 27005 into a structured, audit-ready implementation approach. Contact us to discuss your ISO 27001 implementation and risk management requirements.
Continue the ISO 27001 Roadmap >>>
Part 6: Upcoming!
Missed a step?
The ISO 27001 Roadmap series by Cycubix provides a step-by-step guide to building, implementing, and maintaining an Information Security Management System (ISMS), helping organisations worldwide turn ISO 27001 from theory into action.
