Exploring ISO 27001 Risk Assessment Methodology

It is important for you to know different types ISO 27001 risk assessment methodology that you can use to protect your data. Each type comes with their own drawbacks and advantages so it is important for you to understand how to choose the best one for your company.

Understanding Risk Assessment

Before we explore the ISO 27001 risk assessment methodology first you need to understand the risk assessment which is a way for your company to decide what you will do to secure data. Especially since vulnerabilities and threats are coming from everywhere not only from external threat but also from internal user which are careless.

The vulnerabilities may even come in the network infrastructure itself. Thus, it is important for the top management to know how urgent each of those risk and the cost that need to be spend on the mitigation effort.

Risk assessment can help the top management to decide the priorities. This assessment will evaluate the probability and potential impact that can happen from each of the risk found in your company. Then the top management can evaluate the report to decide which of the mitigation efforts that they want to prioritize according to the company’s timeline, strategy and budget.

Learn more about what is ISO 27001: a comprehensive beginner’s guide

Different Types of ISO 27001 Risk Assessment Methodology

Actually, there is no mandatory ISO 27001 risk assessment methodology that you should use to meet the standard. Instead you need to create your own methodology that suitable with your company’s need.

To do it, you can use the common methodology types and then adjust it so it will be more suitable to your company. The methodology types that you can consider are:

Quantitative method

This method is using analytical rigor in the process. All risk and assess will have assigned value in dollar. Thus, you can then create the risk assessment result using financial term which top management, board member and executive can understand easier. Then the decision maker will prioritize the mitigation option based on the cost-benefit analyze.

However, this method may not be suitable for all especially since not every risk and assets are quantifiable. Furthermore, putting a financial value on them is not easy and often undermining the objectivity of the assessment. The company need to have an expert with the right knowledge and ability to do it and not all company have that internal expert.

Qualitative method

This method is using journalistic approach to put the risk on certain scales. The assessors will communicate with the employees in the company to talk about how they would or even if they could do their job if the company’s system is inaccessible.

Then the input will be use to create a scale on each of the risks using low, medium and high value. This method can show the overall situation of how the risk can affect the company’s operation.

However, this type of approach is subjective and the assessor should be able to explain the scenario that can be easily understand by the employee with various technical background. They should also use interview methodologies using questions that can help to avoid bias.

Semi-Quantitative method

This method is combining both methods we explain above. That way, in this approach the value will be assigned using numerical scale. Then the risk will be further categorized with the lower third valued risk to be the low risk, the middle third valued risk to be the medium risk, then the higher third valued risk to be the high risk.

By combining both methods then you can avoid the probability and value calculation intensity while still being able to use analytical assessment. Thus, this method is considered to be more objective with a better base in prioritizing the risk.

Asset-Based Method

This is the traditional approach that many companies use when assessing risk especially for the IT department. This method is popular since it aligns well with the department culture, operation and structure. This ISO 27001 risk assessment methodology can be done in a few steps such as:

  • Recording all assets
  • Evaluating how effective the current control
  • Identifying vulnerabilities and threats on each asset
  • Assess the potential impact for each risk

One thing to note is that this approach cannot create complete assessments as some of the risk is not an information infrastructure part especially the soft factors such as process, policies and others. Those factors may give higher risk to the company’s security.

Vulnerability-Based method

On this method the assessment is done further beyond just the company’s assets. The assessment can be start by examining known deficiencies and weakness of the company’s environment and system.

The next step is to identify threats possibilities which can exploit the vulnerabilities and their potential consequences. Although the approach can find more risk than asset-based method but it is done only based on the known vulnerabilities. This means that there are other threats that may not be captured on the assessment.

Threat-Based method

This ISO 27001 risk assessment methodology can give more complete risk posture that the company has. The approach is done by evaluating the condition that may create risk. To do it you also need to audit the company’s assets since the assets control often contribute as condition that may create risk.

Thus, this method actually goes beyond just physical infrastructure. Through this assessment you can find methods that can be use to reduce risk including the cost needed.

How to Choose Suitable Methodology for Your Company

Next thing that you need to do is to choose which methodology that is more suitable for your company. There are a few things that you can do to choose suitable methodology such as:

  • Choosing a complete risk assessment product created by external company.

This method is done by many companies as it seems easier. However, those products usually come with a lot of learning curve and some user may not have enough patience to follow them.

  • Borrowing methodology from other company.

This is another method that you can use however, usually it is very hard to find a method that fits well with your company. Especially if you do not understand the basic used when creating the methodology then it would be hard to even implement it.

  • Creating your own methodology

As you can see each ISO 27001 risk assessment methodology has its own weakness as they are not perfect but each also has its own strength. Luckily, those methods actually not exclusive.

This means you can actually create your own methodology that combine those approaches so it will be more suitable for your company. To do it you need to know the goal as well as the company’s nature.

For example, if top management approval is something that is very important then you may need to create methodology that use quantitative method. That way, you will be able to present the risk assessment result with value that is easier to understand by the top management.

But if you need to have support from the stakeholder and employee then you may need to create methodology that use qualitative method.

Component That the Methodology Should Have

When choosing and creating the methodology to use you need to make sure that the method actually fulfill the ISO 270001 requirements as stated in Clause 6.1.2. This clause actually has a list that you can follow which include a few important things such as:

  • Specifying the method used to identify vulnerabilities and risk which can compromise the data confidentiality, integrity, or/and availability that are transmit, manage and stored by your company.

What you need to do is to create a list for all vulnerabilities and threat that you find through the assessment.

  • Identifying the owner of the risk and the method used to identify it. You need to assign a team or a person that have the right ability, knowledge and training to handle the risk or to find someone with the right position and power that can do the task.
  • ISO 27001 risk assessment methodology must be able to Identifying the criteria that can be use to measure how likely the risk will occur and the consequences. You can use some of the scale used in the method we have talk before. For example, you can use numerical scale or categorize it into different priorities.
  • Determine the method used to calculating the risk. Do not forget that you need to create a complete breakdown on the method in form of documentation since it is needed for the audit process later on.
  • Determine the criteria that will be used to accepting risk. For example, you may want to prioritize the risk that have high rate or bigger numerical value before addressing the other risk.


Having a strong methodology to use to assess risk can be the first thing that you can do to create a good risk management. It gives your company a framework that can be used by the team to assess the probability in implementing ISO 27001 successfully. That is why, it is very important for you to learn and choose ISO 27001 risk assessment methodology that are more suitable for your company.

Description: Learn about the different risk assessment methodologies used in ISO 27001 and how to choose the right one for your organization. Understand the process of risk assessment and the importance of identifying and mitigating risks.

Tags: ISO 27001 risk assessment methodology, ISO 27001 risk assessment methodology type, choosing ISO 27001 risk assessment methodology, the best ISO 27001 risk assessment methodology, ISO 27001 risk assessment methodology requirements,

%d bloggers like this: