Glossary · Compliance concepts
What is Risk Assessment?
Also known as: Information security risk assessment, Security risk assessment
A risk assessment is the process of identifying assets, threats, and vulnerabilities, then scoring each risk by its likelihood and impact. It is the analytical core of an ISMS, and ISO 27001 clause 6 requires it to follow a repeatable, documented method. Its output drives which controls an organization implements.
Key takeaways
- A risk assessment identifies what could go wrong and how serious it would be, expressed as likelihood times impact.
- ISO 27001 requires the method to be defined and repeatable so results are consistent over time.
- It identifies assets, threats, and vulnerabilities as inputs to scoring.
- Its output feeds risk treatment and the Statement of Applicability.
- It must be repeated and updated, not run once and shelved.
What a risk assessment does
A risk assessment is the structured analysis that tells an organization which risks deserve attention. It works by identifying the assets worth protecting, the threats that could affect them, and the vulnerabilities a threat could exploit, then estimating how likely each scenario is and how damaging it would be.
The product is usually a risk register: a list of risks, each scored so that the organization can compare them and prioritize. Higher likelihood combined with higher impact means a higher-priority risk.
In an ISMS, the risk assessment is the analytical engine. Almost every other artifact, from control selection to the Statement of Applicability, depends on its output.
What ISO 27001 requires
Clause 6 of ISO 27001 requires that the organization define and apply a risk assessment process that produces consistent, valid, and comparable results. The emphasis is on repeatability: the same method, applied again later, should yield comparable outputs.
Practically, this means documenting the method up front, including the criteria for likelihood and impact, the scoring scale, and the threshold at which a risk is considered acceptable. The standard does not prescribe a specific methodology, leaving the organization free to choose one that fits.
- Define risk criteria and an acceptance threshold
- Identify risks across assets, threats, and vulnerabilities
- Analyze each risk for likelihood and impact
- Evaluate and prioritize the resulting risks
Who owns it and how it connects to treatment
The risk assessment is typically owned by the ISMS or risk function, with input from asset and system owners who understand the threats in their areas. Its results flow directly into risk treatment, where the organization decides what to do about each risk, and what residual risk remains afterward.
In an audit, the certification body checks that the method is documented, applied consistently, and kept current. A risk assessment that has not been revisited as the environment changed is a common weakness.
Because the rest of the management system inherits the risk assessment's conclusions, errors or omissions here propagate: a missed risk means a missing control.
Frequently asked questions
- What is the difference between a risk assessment and a risk treatment?
- The risk assessment identifies and scores risks; the risk treatment decides what to do about each one. Assessment is analysis, treatment is the decision and action that follows.
- How often should a risk assessment be done?
- At minimum on a defined periodic basis, and additionally whenever significant changes occur, such as a new system, a major incident, or a change in scope. The point is to keep it current, not run it once.
- Does ISO 27001 require a specific risk methodology?
- No. ISO 27001 requires a defined, repeatable method that yields consistent and comparable results, but lets the organization choose the methodology that fits its context.
- What inputs does a risk assessment need?
- It needs an inventory of assets, an understanding of relevant threats and vulnerabilities, and defined criteria for scoring likelihood and impact against an acceptance threshold.