ISO 27001 risk assessment methodology
A practical, auditor-ready guide to running an ISO 27001 risk assessment using the 5×5 likelihood × impact model — without drowning in spreadsheets.
Why ISO 27001 needs a documented methodology
Clause 6.1.2 of ISO/IEC 27001:2022 requires an information security risk assessment process that is repeatable and produces consistent, valid and comparable results. In plain English: two people using your method on the same risk should land on similar scores. That is what auditors test for.
A 5×5 likelihood × impact matrix is the most widely used way to meet that bar. It is simple enough that any control owner can use it, and structured enough that an external auditor will accept it as evidence of a defined methodology.
The 5×5 model at a glance
Each risk gets two scores from 1 to 5: how likely it is to happen, and how badly it would hurt if it did. Multiply them to get a risk rating between 1 and 25, then map that rating to a treatment decision.
| Score | Likelihood | Impact |
|---|---|---|
| 1 | Rare — once in 5+ years | Negligible — no measurable harm |
| 2 | Unlikely — once in 2–5 years | Minor — internal disruption only |
| 3 | Possible — once a year | Moderate — customer impact, recoverable |
| 4 | Likely — multiple times a year | Major — regulatory or contractual breach |
| 5 | Almost certain — monthly or more | Severe — material financial or reputational loss |
| Rating (L × I) | Band | Default treatment |
|---|---|---|
| 1 – 4 | Low | Accept, review annually |
| 5 – 9 | Moderate | Mitigate where cost-effective |
| 10 – 15 | High | Mitigate, assign owner, due date |
| 16 – 25 | Critical | Mitigate now, escalate to leadership |
The five steps of an ISO 27001 risk assessment
Build your asset and scope picture
List the information assets in scope of your ISMS: systems, data stores, suppliers, physical locations and people. You do not need a perfect CMDB — you need enough granularity to talk about realistic threats against each asset.
Identify threats and vulnerabilities
For each asset, ask what could plausibly go wrong against confidentiality, integrity and availability. Use threat catalogues (ENISA, NIST SP 800-30 Appendix E) as a prompt — do not reinvent them.
Score likelihood and impact (1–5)
Score the inherent risk first — before existing controls. Then score the residual risk with current controls applied. The gap between the two is the value your controls actually deliver, and that is what an auditor wants to see.
Decide treatment
For each risk, pick one of: treat (add or strengthen controls), transfer (insurance, contracts), tolerate (formally accept), or terminate (stop doing the risky activity). Justify the choice in writing — that justification is your audit evidence.
Document, review, repeat
Risks change as your business changes. ISO 27001 expects assessments at planned intervals and when significant change occurs — typically quarterly review with a full re-scoring annually, plus ad-hoc for new products or incidents.
Why spreadsheets break at step 5
The methodology is straightforward. The pain is keeping it alive across review cycles: linking risks to controls, tracking owner sign-off, surfacing what changed since the last audit, and producing a Statement of Applicability that actually matches the register.
ISO-STANDARD.app implements this exact 5×5 model out of the box, with inherent and residual scoring, a heatmap view, control linkage, and an audit-ready export. No formulas, no broken references, no version-N-final-final.xlsx.
Common questions
No. Clause 6.1.2 requires a defined, repeatable methodology — it does not prescribe the scale. 5×5 is recommended because it balances granularity with usability; 3×3 is too coarse for most ISMS scopes, and 10×10 invites false precision.
Both. Inherent shows the world without your controls; residual shows the world with them. Auditors use the delta to verify that your controls are doing real work.
Continuously for new risks, at least quarterly for review, and a full re-score annually. Any significant change — new vendor, new product, incident, regulatory shift — triggers an ad-hoc reassessment.
A single named person with the authority to commission treatment. Shared ownership is a common audit finding — avoid it.