Get a fully structured ISO 27001 risk methodology template, including risk criteria, treatment options, and guidance. Download or use online today.
Document Title: Risk Assessment & Treatment Methodology
Version: 1.0
Owner: [e.g. Information Security Manager]
Approved By: [e.g. Managing Director]
Review Date: [Date]
1. Purpose
This document defines the methodology used by [Organisation Name] to assess, evaluate, and treat information security risks in line with the ISO/IEC 27001:2022 standard.
2. Scope
Covers all assets, processes, systems, and activities within the defined ISMS scope.
3. Risk Assessment Approach
Type: Qualitative / Quantitative / Hybrid (choose one)
Risk = Likelihood × Impact
Both values are scored using a defined scale (see Section 4).
4. Risk Criteria
Likelihood Scale:
| Score | Description |
|---|---|
| 1 | Rare – Unlikely to occur |
| 2 | Possible – Could occur occasionally |
| 3 | Likely – Expected to occur regularly |
Impact Scale:
| Score | Description |
|---|---|
| 1 | Low – Minor operational impact |
| 2 | Medium – Moderate disruption or cost |
| 3 | High – Serious damage or legal/regulatory breach |
Risk Matrix Example:
| Impact 1 | Impact 2 | Impact 3 | |
|---|---|---|---|
| Likelihood 1 | Low | Low | Medium |
| Likelihood 2 | Low | Medium | High |
| Likelihood 3 | Medium | High | High |
Risk Acceptance Threshold:
Risks rated Low are considered acceptable. Medium and High risks require treatment.
5. Asset-Based and Event-Based Assessments
We use both:
- Asset-based: Identifying threats to specific business assets
- Event-based: Modelling scenarios involving likely security incidents
Each risk scenario includes:
- Threat source
- Vulnerability
- Potential impact
- Existing controls
- Proposed treatment
6. Risk Treatment Options
In line with ISO 27001 Clause 6.1.3, treatment options include:
- Avoid: Discontinue the risk-related activity
- Mitigate: Apply security controls to reduce risk
- Transfer: Shift risk (e.g. insurance, outsourcing)
- Accept: No action taken; risk is tolerable
7. Documentation & Review
- All risks are documented in the Risk Register
- The Statement of Applicability (SoA) maps chosen controls
- The methodology is reviewed annually or following significant changes
8. References
- ISO/IEC 27001:2022
- ISO/IEC 27005:2024 (optional)
- [Organisation’s] Risk Register
- [Organisation’s] Statement of Applicability