Free resource
ISO 27001 Risk Assessment Template
A ready-to-use ISO 27001:2022 risk assessment methodology — scoring, treatment options, and a register structure. Copy it for your ISMS, or let CATAAM run risk assessment and Annex A monitoring for you.
1. Scoring methodology
Risk score = Likelihood × Impact (1–25).
Likelihood
| Score | Description |
|---|---|
| 1 | Rare — once in 5+ years |
| 2 | Unlikely — once in 2–5 years |
| 3 | Possible — once per year |
| 4 | Likely — multiple times per year |
| 5 | Almost certain — monthly or more |
Impact
| Score | Description |
|---|---|
| 1 | Negligible — no operational impact, no data exposure |
| 2 | Minor — limited impact, quickly resolved |
| 3 | Moderate — significant disruption, limited data exposure |
| 4 | Major — serious harm, regulatory notification likely |
| 5 | Critical — business continuity threatened, mass data breach |
Risk levels & treatment SLAs
| Score | Level | Treatment |
|---|---|---|
| 1–4 | Low | Accept or monitor |
| 5–9 | Medium | Treat within 90 days |
| 10–16 | High | Treat within 30 days |
| 17–25 | Critical | Treat immediately |
2. Risk treatment options
| Option | When to use |
|---|---|
| Mitigate | Implement controls to reduce likelihood or impact |
| Transfer | Insurance or contractual liability transfer |
| Accept | Document and accept residual risk (needs management sign-off) |
| Avoid | Eliminate the activity that generates the risk |
3. Risk register columns
Track every risk with these fields; link each to an Annex A control for your Statement of Applicability.
Risk IDAsset / areaThreatVulnerabilityLikelihood (1–5)Impact (1–5)ScoreTreatmentOwnerDue dateAnnex A control
ISO 27001 Risk Assessment FAQ
- What is an ISO 27001 risk assessment?
- It is the structured process of identifying information-security risks to your in-scope assets, scoring each by likelihood and impact, and deciding how to treat them. ISO 27001:2022 (Clause 6.1.2) requires a documented, repeatable methodology and a risk register — it is the backbone of your ISMS.
- How do you score risk in ISO 27001?
- Most teams use likelihood × impact on a 1–5 scale, giving a 1–25 score that maps to Low / Medium / High / Critical bands with corresponding treatment SLAs. The exact scale is up to you, but it must be consistent and documented.
- What are the four risk treatment options?
- Mitigate (add controls), Transfer (insurance/contracts), Accept (document residual risk with sign-off), or Avoid (stop the activity). Each risk in the register should record which option was chosen and why.
- Does this template cover ISO 27001:2022 Annex A?
- Yes — the register links each treated risk to the relevant Annex A control, which feeds your Statement of Applicability (SoA). CATAAM can generate the SoA and continuously monitor those controls.
From risk register to certified ISMS
CATAAM automates ISO 27001 evidence, generates your SoA, and continuously monitors Annex A controls.
ISO 27001 with CATAAM