Information security risk assessment
Plain English Translation
Clause 6.1.2 requires the organization to create a formal 'recipe' for handling security risks. You cannot simply guess which threats matter; you must define a repeatable process that establishes specific rules (criteria) for calculating risk levels and determining when a risk is acceptable. This process involves identifying risks to the confidentiality, integrity, and availability of your information, assigning a specific owner to each risk, and analyzing the likelihood and impact to prioritize which ones need fixing.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
Required Actions (scaleup)
It is the clause that mandates a defined and applied process for identifying, analyzing, and evaluating information security risks. It ensures the organization understands its threat landscape before implementing controls.
You must establish criteria for risk acceptance (what level of risk is okay?) and risk assessment (how do we calculate the level?). This is often done using a risk matrix (e.g., Likelihood x Impact) approved by top management. WatchDog Security's Risk Register can help apply those criteria consistently by standardizing scoring fields and recording approvals and exceptions.
The steps are: 1) Establish criteria, 2) Identify risks (assets, threats, vulnerabilities), 3) Analyze risks (assess consequences and likelihood), and 4) Evaluate risks (compare against criteria to prioritize treatment).
Identify risks by looking at assets and potential threats (e.g., theft, error, malware) that could harm confidentiality, integrity, or availability. Analyze them by estimating how likely they are to happen and what the impact would be if they did.
Risk assessment (Clause 6.1.2) is the diagnosis—finding and scoring the problems. Risk treatment (Clause 6.1.3) is the cure—deciding what to do about them (mitigate, accept, transfer, or avoid).
ISO 27001 does not mandate a specific methodology, but it must be repeatable and produce consistent results. Common methodologies include ISO 27005, NIST SP 800-30, or simple asset-threat-vulnerability matrices.
Consistency is achieved by having a documented Risk Management Policy with clear definitions for likelihood and impact levels, ensuring that different assessors would reach similar conclusions for the same risk. WatchDog Security's Compliance Center can help by centralizing the methodology, required evidence, and review checkpoints so teams follow the same playbook.
You must retain documented information about the risk assessment process (Policy) and the results of the risk assessments (Risk Register or Report).
A common challenge is keeping risk scoring consistent across teams and ensuring each assessment produces traceable, reviewable outcomes. WatchDog Security's Risk Register helps standardize likelihood/impact scoring, assign risk owners, capture treatment decisions, and generate an auditable history of changes so your clause 6.1.2 process stays repeatable over time.
Risk assessments can become stale when new assets, cloud misconfigurations, or vendor dependencies appear between review cycles. WatchDog Security's Asset Inventory provides continuous visibility into assets and identity relationships, and WatchDog Security's Vendor Risk Management helps track vendor risk-tiering and assessment status, so teams can trigger targeted re-assessments when the environment changes.
"The organization shall define and apply an information security risk assessment process that: a) establishes and maintains information security risk criteria... c) identifies the information security risks... d) analyses the information security risks... e) evaluates the information security risks."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2025-05-27 | WatchDog Security GRC Team | Initial publication |
