In many SMEs, information security risks are generally recognized but not consistently assessed nor are decisions clearly documented. This often leads to repeated discussions about what the biggest risks really are, what should be addressed first, and who is responsible for progressing the work.
In this article, we walk you through how ISO 27001 risk assessment and risk management are done in practice, step by step. You will get a clear roadmap, an example risk scoring model, recommended responsibilities, and concrete deadlines to make risk management a routine practice, not just a checklist for audits.
Prerequisites
- A designated person responsible for risk management, such as an IT manager, information security officer, or quality manager
- A decision on the scope of application, meaning which business areas, systems, and data are included in the assessment
- A list of critical assets: systems, data, devices, suppliers, and key processes
- A shared scoring model for likelihood and impact, for example on a scale of 1–5
- At least a 2–3 hour workshop with key stakeholders for the initial assessment
What Does ISO 27001 Risk Assessment Mean in Practice?
ISO 27001 is based on the idea that information security is managed systematically, not by guesswork. In practice, this means a company identifies risks, assesses their severity, decides how to treat them, and monitors whether agreed measures have been implemented.
Many think risk assessment is a once-a-year Excel exercise. In reality, it’s a continuous model where the same principles are applied, for example, when introducing new systems, staff changes, or supplier transitions.
A good risk assessment answers at least these questions:
- What do we want to protect?
- What can go wrong?
- How likely is it on a scale of 1–5?
- What would be the business impact on a scale of 1–5?
- What controls or protective measures are already in place?
- What happens next, who does it, and by when?
For example, in a SaaS company handling customer data, one risk might be a user account of a former employee that remains active. The impact could be 4/5 and the likelihood 3/5, resulting in a risk score of 12/25. If the company decides that all risks over 10 points are addressed within 30 days, this measure can be easily prioritized.
Note
ISO 27001 does not mandate a single risk scoring model. The standard requires you to use a consistent method for evaluating risks and be able to justify why that model works for your organization.
Risk Assessment Starts With Assets, Not Threats
A common mistake is to start by listing only threats such as phishing, malware, or denial-of-service attacks. That’s too abstract. A better approach is to start with what the company has and what is critical to business.
In practice, first identify the most important targets, i.e., assets. An asset can be information, a system, a device, a process, or even a key person’s expertise.
Start with these 3–5 groups:
- Customer and personal data
- Cloud services and business-critical applications
- Workstations, mobile devices, and administrative accounts
- Suppliers and subcontractors
- Key business processes like sales, delivery, or customer support
Once assets are identified, risk assessment becomes concrete. You no longer assess vague “cyber threats,” but rather, for example, what happens if the financial management system is unavailable for 8 hours, or if customer data ends up in the wrong hands.
A Simple Scoring Model Is Enough for Most SMEs
SMEs don’t need to create an overly complex model. Usually, it’s enough to evaluate two aspects for each risk: likelihood and impact. Both can be scored on a 1–5 scale.
The key is not perfect mathematical accuracy but that different people evaluate risks using the same logic. Therefore, it’s worthwhile to agree on verbal descriptions for each score.
| Score | Likelihood | Business Impact |
|---|---|---|
| 1 | Extremely unlikely, less than once in 5 years | Minor disruption, no significant customer or financial impact |
| 2 | Possible, about once every 2–5 years | Limited disruption, fixable within a workday |
| 3 | Moderate, may occur annually | Noticeable disruption, causes extra work or limited customer impact |
| 4 | Likely, multiple occurrences per year | Significant disruption, service outage, contract or reputational impact |
| 5 | Very likely or already recurring | Severe impact, prolonged outage, data breach, or significant financial loss |
Risk level is calculated by multiplying the scores. Then, agree on treatment thresholds in advance.
| Risk Level | Interpretation | Action |
|---|---|---|
| 1–5 | Low | Monitor during regular annual review |
| 6–9 | Moderate | Plan action within 90 days |
| 10–15 | High | Decide action within 30 days |
| 16–25 | Critical | Immediate handling, assign owner within 24 hours |
Tip
If a risk workshop gets stuck on tweaking scores, limit discussion to 15 minutes per risk. The goal is prioritization, not building a perfect theory.
Define scope and participants
Start by deciding which part of the business the assessment covers. In an SME, a good initial scope might be customer data handling, key cloud services, and administrative accounts. Invite 3–6 people to the workshop: business owner, IT, HR or finance, and if needed, the data protection officer.
List assets, threats, and current controls
Document at least one risk for each critical asset. Use a simple structure: asset, threat, vulnerability, current control. For example: customer registry, unauthorized use, outdated access removal process, current control is two-factor authentication but no removal procedure in place.
Score the risks using the same model
Evaluate likelihood and impact for each risk on a 1–5 scale. Record a one-sentence justification for the scores to make the assessment repeatable later. If two risks have the same score, prioritize the one with a greater impact on customers, legal obligations, or service continuity.
Decide how to treat the risk and assign an owner
For each high risk, decide whether to reduce, avoid, transfer (via contract or insurance), or accept it with justification. Assign an owner and deadline for each action, e.g., “HR and IT will revoke departing employee’s access rights within 24 hours of employment ending.”
Monitor implementation and reassess residual risk
Once an action is taken, reassess the risk. This is called the residual risk, i.e., remaining risk after controls. Review high risks at least monthly and the entire risk register at least twice a year or whenever a significant change occurs.
What Kind of Risk Treatment Actions Are Recommended?
Risk assessment is useless if it does not lead to practical changes. Therefore, every significant risk should have a realistic treatment action whose effect can be tracked.
Good risk management actions include:
- Removing access rights within 24 hours of employment termination
- Segregating administrative accounts from regular user accounts
- Performing backup restoration tests twice a year
- Adding supplier security requirements in contracts before procurement
- Implementing multi-factor authentication for all remote access within 30 days
- Practicing security incident handling procedures once a year
Below is an example of how one risk may be recorded in practice.
| Risk | Current Level | Action | Owner | Deadline | Residual Risk Target |
|---|---|---|---|---|---|
| Former employee’s account remains active | 12/25 | Add removal workflow to HR-IT process, checklist, and monthly report | IT manager | 14 days | 4/25 |
| Backups have not been tested | 15/25 | Restoration test for critical production data | System owner | 30 days | 6/25 |
| Supplier security requirements missing | 10/25 | Contract appendix for new and renewed agreements | Procurement manager | 60 days | 5/25 |
If you wonder how many risks to include in the first assessment, start with a limited set. Usually, 10–20 risks are enough for the first round. The key is to surface the 3–5 key risks that management can realistically act upon.
Common Mistakes That Slow Down ISO 27001 Work
Risk assessment rarely fails due to lack of threats. It more often fails because the model is too heavy or responsibilities are unclear.
Do you recognize any of these in your organization?
- Risks are recorded too generally, e.g., “cyber attack,” without specifying asset or impact
- No scoring model, or different people use it inconsistently
- No owners or deadlines assigned for actions
- Risk register is updated only before audits
- Controls copied from a template without linking to risk assessment
Warning
A common mistake is silently accepting a high risk because fixing it feels too burdensome. If a risk is accepted, the decision must be documented, justified, and approved by the appropriate responsible person.
In practice, a good checklist for each risk is:
- Is the risk described in one clear sentence?
- Does it show which asset or process is affected?
- Is there a justification for the score?
- Is there an owner for the action?
- Is the deadline realistic, e.g., 14, 30, or 90 days?
- Do we know when the risk will be reassessed?
How to Keep Risk Management Alive in Daily Operations?
The best ISO 27001 model is one that is used beyond audits. Therefore, risk management should be integrated into existing management rhythms rather than built as a separate project.
A practical routine for an SME could be:
| Rhythm | Activity | Duration | Participants |
|---|---|---|---|
| Monthly | Status update on high risks | 30 min | IT, business owner |
| Quarterly | Assess new risks and changes | 60 min | Management, IT, process owners |
| Twice a year | Update entire risk register | 2–3 h | Key personnel |
| Annually | Management review and priority confirmation | 60–90 min | Management |
If the company already uses ISO 9001 or another management system, it’s best to align risk management reviews within those same sessions. This prevents work from siloing. Softapankki Oy and QMClouds Oy solutions reflect the same idea in the Laatupankki product family: a management system works best when responsibilities, tasks, and monitoring are within the same daily tool.
Tietoturvapankki especially helps when risk assessment is to be done consistently without heavy manual maintenance. When risks, controls, responsibilities, and monitoring are all in one place, audit readiness improves while daily work becomes clearer.
Summary
- ISO 27001 risk assessment works best when you start with critical assets, not general threats.
- For SMEs, a clear 1–5 scoring model for likelihood and impact is usually sufficient.
- Every high risk must have an owner, an action, and a deadline, such as 30 days or 24 hours.
- The risk register should be updated regularly, not just before audits.
- The goal is not a perfect Excel but a repeatable risk management model that supports decision-making.
Need help with information security management?
Our experts are here to assist you.