26 May 2026 • Cyber security
Risk analysis is not an optional add-on in ISO 27001 — it is the foundation the entire standard is built on. Without a structured understanding of what can go wrong and how likely and impactful that would be, every security measure your organisation takes is based on assumptions rather than evidence. This article explains what an ISO 27001 risk analysis involves, how to approach it step by step, and what a practical example looks like.
What is an ISO 27001 risk analysis?
An ISO 27001 risk analysis is a structured process in which an organisation identifies information security risks, evaluates their likelihood and potential impact, and decides how to treat them. The output is a risk register — a documented overview of all identified risks and the decisions made about each one.
ISO 27001 does not prescribe a single method for conducting a risk analysis. The standard requires that the method is consistent, reproducible and produces comparable results. In practice, most organisations use a likelihood-impact matrix, a qualitative scoring system, or a combination of both.
The risk analysis is not a one-time exercise. ISO 27001 requires it to be reviewed regularly — at planned intervals and whenever significant changes occur in the organisation or its environment. This makes it a living document, not an archived report.
Why risk analysis is central to ISO 27001
ISO 27001 is a risk-based standard. That means the controls an organisation implements should be driven by risk, not by convention or what competitors are doing. Clause 6.1.2 of ISO 27001 specifically requires organisations to define a risk assessment process, apply it consistently, and retain documented information as evidence.
This risk-based approach has a practical implication: two organisations in the same sector can have very different sets of controls, because their risk profiles differ. A healthcare provider handling sensitive patient data faces different threats and has different exposure than a logistics company. The risk analysis is what makes the ISMS fit the organisation, rather than the other way around.
ISO 27001 does not tell you which risks to prioritise. It tells you to have a process that is rigorous enough to find out for yourself — and to document that you did.
The four steps of an ISO 27001 risk analysis
While ISO 27001 allows flexibility in methodology, effective risk analyses consistently follow four core steps:
- Identify assets and threats. Start by cataloguing the information assets that matter to your organisation: data, systems, processes, people. For each asset, identify the threats it faces — unauthorised access, data loss, system failure, human error — and the vulnerabilities that make those threats exploitable.
- Assess likelihood and impact. For each identified risk, score the likelihood of it occurring and the impact it would have if it did. A simple 1–3 or 1–5 scale works for most organisations. The combination of the two scores produces a risk level.
- Determine risk treatment. For each risk, decide on a treatment option: mitigate (implement a control to reduce the risk), accept (document that the risk level is acceptable), transfer (e.g. through insurance or outsourcing), or avoid (change the activity that creates the risk).
- Document and review. Record all findings, treatment decisions and residual risks in a risk register. Link each decision to the applicable controls from ISO 27001 Annex A. Schedule a review date.
Risk analysis example: what it looks like in practice
Below is a simplified risk analysis example for an organisation with a small IT team and a mix of office-based and remote workers. Scores use a 1–3 scale (1 = low, 3 = high).
| Risk | Likelihood | Impact | Risk level | Treatment |
|---|---|---|---|---|
| Employee clicks phishing link, credentials stolen | 3 | 3 | High | Mitigate — phishing simulation + awareness training |
| Unpatched software exploited by malware | 2 | 3 | High | Mitigate — patch management policy |
| Laptop lost or stolen with unencrypted data | 2 | 2 | Medium | Mitigate — full-disk encryption + MDM |
| Key staff member leaves, knowledge lost | 2 | 2 | Medium | Mitigate — documentation + knowledge transfer process |
| Office flooded, server room inaccessible | 1 | 3 | Medium | Transfer — business continuity insurance + cloud backup |
| Social media account compromised | 1 | 1 | Low | Accept — monitor, no additional controls required |
This risk analysis example illustrates how human behaviour — particularly susceptibility to phishing — consistently appears as a high-priority risk. It is also one of the most addressable risks through structured security awareness training.
Security awareness training as a risk treatment measure
In almost every ISO 27001 risk analysis, human risk ends up in the high-priority category. Phishing, social engineering, weak passwords and accidental data disclosure are predictable, recurring risks — and they are driven by people, not systems.
ISO 27001 Annex A control 6.3 explicitly requires organisations to provide information security awareness, education and training to all personnel. This is not just about completing a module once a year. The control calls for ongoing awareness that keeps pace with the threat landscape.
Guardey’s ISO 27001 security awareness training is built around exactly this: short, recurring training sessions combined with phishing simulations that give organisations both the coverage and the documentation needed to satisfy auditors. The risk register entry for human error moves from “high risk, partially mitigated” to “high risk, actively managed” — a distinction that matters in an audit.
Eliminate human risk for ISO 27001 compliance
Build a security culture before the auditors come knocking.
