ISO 27001 Risk Assessment and Treatment

Risk assessment is probably the most complex part of ISO 27001 implementation; but at the same time risk assessment (and treatment) is the most important step at the beginning of your information security project – it sets the foundations for information security in company. It is good for an organization if risk is analyzed at early stages to resolve it quickly as soon as possible. Information security is a first priority for any organization because a tiny loophole can create a big problem for entire organization.

ISO 27001 Information Security Management certification provides a framework for information security management best practice in an organization. ISO certification of 27001 ensures the security of information to the outsider clients.

It is a standard written by the world's best experts in the field of information security who are certified as six sigma black belt and aims to provide a methodology for the implementation of information security in an organization. It also enables an organization to get certified by following quality assurance plan, which means that an independent certification body has confirmed that information security has been implemented in the best possible way in the organization.

There are following steps to be followed for assessment and treatment of risk:

  • Risk assessment: The first step in risk assessment is the identification of all information assets in the organization - i.e. of all assets which may identify and value affect the security of information in the organization. ISO consultants help to assign value to each asset in terms of the worst-case impact the loss of confidentiality, integrity or availability of the asset may have on the organization.
  • Risk assessment implementation: There is need to list all assets, then threats and vulnerabilities related to those assets, assess the impact and likelihood for each combination of assets/threats/vulnerabilities and finally calculate the level of risk. As we know companies are usually aware of only 30% of their risks. So, requirement for risk assessment implementation increases.
  • Risk treatment implementation: After detecting risk, there is requirement for risk treatment. For resolving risk properly, it is necessary to maintain a particular plan for implementation of risk treatment strategies.
  • ISMS Risk Assessment Report: In this step, we need to document everything we've done so far. This is not only for the auditors but it may happen that we will require checking these results after a year.
  • Statement of Applicability: This document actually shows the security profile of company – based on the results of the risk treatment we need to list all the controls we have implemented, why we have implemented them and how. This document is also very important because the certification auditor will use it as the main guideline for the audit and helps in achieving ISO certification India for 27001 standard.
  • Risk Treatment Plan: This step exactly contains who is going to implement each control, in which timeframe, with which budget, etc. I would prefer to call this document 'Implementation Plan' or 'Action Plan', but let's stick to the terminology used in ISO 27001. Risk treatment plans will then be recorded and tracked as part of the Information Security risk management process. It is required to assess inherent risk identify controls then determine residual risk feed into risk treatment plan.

Request Quote

You are here: Home Blog ISO 27001 Risk Assessment and Treatment


"Excellent Program, very informative & practical"

Saurav Mondal, LG Electronics

More satisfied clients...

Contact us

  • Tel: +91-9810189048
  • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Web:
  • Add: C-9/36-FF, Palm Floors
    Ardee City, Sector-52, Gurgaon