Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu


An expert blog by CertiKit’s Managing Director, Principal Consultant and creator of the ISO27001 toolkit, Ken Holmes

You’ll hear it said many times that ISO27001 is a risk-based standard, and in this blog I’m going to discuss the basics of creating a risk assessment and treatment plan.

Your choice

In our ISO27001 toolkit we give you two choices in performing your risk assessments; asset-based and scenario-based. Whichever method you choose it’s still a good idea to have an up to date inventory of your assets, particularly your information assets, such as customer data or product specifications.

Whether you choose to perform a scenario-based assessment, or an asset-based one, many of the principles are the same.

Define your criteria

The first step is to define the scope and context of the assessment, and your risk acceptance criteria. This sets out what the risk assessment covers and why, so for example we might conduct an assessment of the risks to a specific IT system or service and we might be doing this in the context of the system going live for the first time, or because we’ve become aware of additional threats.

Our risk acceptance criteria define how much risk we can live with without putting any more controls in place and may be stated as a risk score, for example of less than 10, or as a risk classification, for example Low is accepted whereas Medium or High is not.

Identify the risks

Once you’ve defined the details of the assessment, you can start to populate the risk assessment spreadsheet with your risks. Each entry could be a risk to the confidentiality, the integrity or the availability of the asset involved, or a combination of these.

Once you’ve assigned a risk owner, as required by the ISO27001 standard, briefly set out the existing controls in place to manage this risk.

Analysing the risks

The next step is to define the likelihood of the risk happening on a scale of 1 low to 5 high, and give the main reasons why you’ve chosen that score. This is useful information when you come to reassess the risks at a later date, or for someone else to understand why the score was set as it is.

You then need to assess the potential impact of the risk, and the combination of these two numbers gives a risk score and a corresponding risk level.

Accept or treat?

Next you need to decide whether you are going to accept the risk, based on your acceptance criteria that you defined earlier, or if you’re going to treat the risk.

As treatment, you could decide to avoid the risk, for example by stopping doing something that makes it arise in the first place. You could transfer the risk by getting another party to take it on, such as in the case of insurance. Or you could modify it by taking some additional action such as putting additional controls in place.

If you decide to modify the risk, enter the details of the treatment actions you’re going to put in place. These actions form part of your treatment plan.

Residual risk level

Next you need to assess the effect that the treatment actions are expected to have on the risk score and corresponding level and enter new values for likelihood and impact.

Note that if you had decided to accept the risk, you would set these values to be the same as the pre-treatment ones, because you’ve not done anything to affect them. What you’re left with after the treatment actions have been completed is often referred to as the residual level of risk.

How many risks?

We’re often asked how many risks should be listed in our risk assessment tool and there’s no easy answer to that question. The ISO27001 standard doesn’t specify any expectations as to numbers, only that risks should be assessed according to a process. So technically if you only had a dozen or so main risks it shouldn’t be a problem. We would certainly advise against going too far overboard on the number of risks as this can make the process difficult to manage. The appropriate number will depend on factors such as the size of your organization, what it does, and how sensitive your information is.

And finally

Other useful tabs are included within the risk assessment tool. Some example risks are given, together with their corresponding controls from Annex A of the ISO27001 standard. There are also a number of alternative ways of presenting the risk assessment and treatment information in graphical form.

Risk assessment and treatment is a big subject and we’ve just scratched the surface in this blog but hopefully it’s been a useful introduction.

More ISO27001 Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 4000 businesses with their compliance


I really love the introductions and guidance in each document. This makes it so easy to use for my team and the uninitiated to quality management.

Chauncery Ventures

View all Testimonials