One of the most common challenges during ISO 27001 implementation is translating high-level risk management concepts into a structured, repeatable, and audit-ready operational process.
While ISO/IEC 27001 requires organisations to perform information security risk assessments, ISO/IEC 27005 provides guidance on how to perform those activities consistently and effectively within the wider ISMS lifecycle.
In this article, we examine the core activities involved in performing an ISO 27001-aligned risk assessment, including:
To support implementation progression and readability, the practical walkthrough has been divided into two parts:
Throughout this article, we reference practical examples, scoring models, and implementation templates commonly used during ISO 27001 implementation. To keep the roadmap focused on methodology, governance, and decision-making, these operational examples are provided separately in the accompanying ISO 27001 Risk Assessment Toolkit.
Under ISO/IEC 27005, information security risk management is presented as a structured and iterative lifecycle covering:
This lifecycle provides the foundation for effective information security risk management and supports the operation of an ISO 27001-aligned Information Security Management System (ISMS).
Under ISO/IEC 27005, establishing context ensures that information security risks are assessed consistently against organisational objectives, operating environment, and risk appetite.
The context defines the boundaries, assumptions, and evaluation criteria governing the entire risk management process.
A key activity in establishing this context is performing a Gap Assessment to understand the organisation’s current control environment and identify areas requiring improvement.
The Gap Assessment begins with a review of all 93 Annex A controls, documenting each control and categorising it by implementation status and control theme.
For each control, organisations should capture:
Detailed examples and templates are included in the accompanying ISO 27001 Risk Assessment Toolkit.
Once completed, the Gap Assessment becomes a core input into the wider risk assessment process. It is not a standalone exercise, but a living document supporting ongoing ISMS monitoring and improvement activities.
The Gap Assessment supports:
For example:
The Gap Assessment establishes the baseline control posture used to evaluate both inherent and residual risk exposure.
Before risks can be assessed consistently, organisations should define how risks will be measured and evaluated across the ISMS.
ISO/IEC 27005 establishes that risk assessment criteria specify how the significance of a risk is determined in terms of:
Risk assessment criteria should be standardised across the organisation to support consistency, comparability, and informed decision-making.
At a minimum, organisations should formally define:
Impact should be assessed across business-relevant dimensions such as:
For example, a critical operational impact may involve prolonged inability to deliver core client services or significant business disruption.
Detailed impact scoring examples and templates are included in the accompanying ISO 27001 Risk Assessment Toolkit.
Where multiple dimensions apply, organisations should define how the overall impact score is determined.
The Cycubix methodology uses the highest applicable impact rating unless otherwise justified and formally approved. This supports conservative, risk-based decision-making aligned with ISO expectations.
Likelihood estimates the probability of a risk event occurring using the most appropriate measurable basis available.
Organisations should consider:
Detailed likelihood scoring examples and assessment templates are included in the accompanying toolkit.
Once impact and likelihood have been assessed, organisations can determine the overall risk level using their approved risk evaluation model.
The resulting risk score is then evaluated against documented risk acceptance criteria to determine whether the risk:
Detailed risk matrices and acceptance threshold examples are included in the ISO 27001 Risk Assessment Toolkit.
Once the organisation has established its assessment criteria and baseline control posture, it can move into the operational phase of risk assessment.
Risk identification involves systematically documenting the events and conditions that could negatively affect information security objectives.
This process examines three key elements:
Organisations should identify environmental, human, technological, and process-related threat sources, then assess how existing vulnerabilities and control gaps may increase exposure.
ISO/IEC 27005 supports multiple identification techniques, including:
Supporting documentation commonly developed during this phase includes:
The result is a structured inventory of risks documented within the organisation’s Risk Register.
Once risks are identified, organisations evaluate each risk using the approved assessment criteria and risk matrix.
This includes assessing:
The purpose of risk analysis is to establish a consistent and evidence-based understanding of organisational risk exposure prior to treatment decisions.
The analysis phase also helps organisations prioritise resources and remediation activities according to actual business impact.
The evaluation phase compares analysed risks against documented risk acceptance criteria to determine the appropriate course of action.
Risks may:
Residual risk may only be accepted where:
As a default principle, residual high or very high risks should not be accepted without documented justification, formal approval, and a time-bound remediation plan.
ISO/IEC 27005 recognises that some risks may require additional scrutiny regardless of numerical score.
These may include:
For example, a medium-scored GDPR-related risk may still require treatment due to regulatory sensitivity and potential legal exposure.
Similarly, multiple individually acceptable risks affecting the same business process may collectively create unacceptable operational exposure.
Organisations should therefore evaluate risks not only numerically, but also within a broader business and regulatory context.
Once mitigation controls have been identified, organisations must determine the remaining residual risk exposure based on control implementation and effectiveness.
The Cycubix methodology uses implementation coverage as a supporting indicator to justify residual risk scoring within the organisation’s defined risk evaluation model.
Residual risk evaluation should consider:
While ISO/IEC 27005 does not prescribe specific residual risk calculation models, organisations should apply a methodology that is consistent, defensible, and aligned with business context.
In Part 4, Step 3 introduced Risk Assessment as a key activity for driving informed implementation decisions. In this article, we explored that activity in greater detail by examining the core components of an effective ISO 27001-aligned risk assessment process:
Together, these activities establish the operational foundation of an effective ISMS.
They help organisations ensure that risk management activities remain:
Every organisation approaches ISO 27001 implementation from a different operational, regulatory, and resource context. The challenge is not simply performing a risk assessment, but building a process that remains practical, maintainable, and audit-ready over time.
Need Support With Your ISO 27001 Implementation?
At Cycubix, we help organisations design and operationalise ISO 27001-aligned ISMS programmes that support certification readiness and long-term business resilience. Contact us to discuss how we can support your ISO 27001 implementation journey.
In Part 7, we will continue with:
We will also examine how organisations document and operationalise risk treatment decisions within the Risk Register and wider ISMS governance framework.
Continue the ISO 27001 Roadmap >>>
Part 7: Upcoming!
Missed a step?
The ISO 27001 Roadmap series by Cycubix provides a step-by-step guide to building, implementing, and maintaining an Information Security Management System (ISMS), helping organisations worldwide turn ISO 27001 from theory into action.
