How to Start ISO 27001 Risk Assessment in an SMB

In many small and medium-sized businesses, it’s understood that information security risks should be assessed, but getting started can feel daunting. Where to begin, how extensive will the work be, and does everything need to be documented immediately? If the start drags on, often the risks are identified only after a customer requirement, audit, or incident.

This article walks you through how to practically start an ISO 27001 risk assessment in an SMB. You’ll get a clear step-by-step model, concrete initial decisions, a simple scoring example, and guidance on keeping the work manageable within the first 2–4 weeks.

Edellytykset

Appoint one responsible person, for example an IT manager, quality manager, or security officer
Define the first scope of application for the assessment: for instance the whole company, or one service, business process, or customer environment
Reserve at least 2 x 2-hour workshops plus 1–2 hours weekly for follow-up in the first month
Gather basic information in advance: system list, key suppliers, personnel roles, and past incidents

What Does ISO 27001 Risk Assessment Mean in Practice?

Risk assessment practically means identifying your company’s most significant threats to information, systems, and processes, evaluating their impact, and deciding on actions. ISO 27001 doesn’t require complicated theory but a repeatable method to assess risks consistently every time.

The key insight for SMBs is this: you don’t have to assess everything perfectly at once. On the first round, it’s enough to identify 3–5 key risks per critical business area and assign owners, actions, and schedules to them.

Common first scopes include:

customer data and personal information
Microsoft 365 or Google Workspace environments
endpoints like laptops
access rights management
subcontractors and cloud services
backups and recovery

Note

ISO 27001 does not mandate a single compulsory risk calculation model. The most important thing is that you use a coherent model suitable for your operations and can justify your decisions during audits.

Define Clearly: What to Include and What Not?

The most common startup mistake is trying to assess all risks of the entire company at once. This easily results in an overly broad list that no one has time to maintain. Therefore, the first practical decision is the scope of application, i.e., the part of the operations the assessment covers.

A good scope in an SMB is something you can realistically cover in 1–3 workshops. If the company has one main product or a clear service environment, start there. If customer requirements cover the entire organization, limit the first assessment round at least to the key processes.

Make sure the scope covers at least these:

the most important information and data repositories
critical systems
key personnel roles
external suppliers on which you depend
legal or customer requirements

The following table helps you choose a suitable starting scope:

Option	When Suitable	Initial Effort	SMB Recommendation
Whole company at once	Operations are simple and few systems	Medium	Good if under 20 employees and few services
One service or product	Customer requirements target a specific service	Small	Often the best initial scope
One process, e.g., access rights management	Need a quick start	Very small	Good pilot, but not sufficient alone long-term
One customer environment	Security requirements come from a single customer	Small–medium	Works well if customer-specific requirements drive work

Choose a Simple Scoring Model from the Start

Once risks are identified, you need to compare them against each other. Otherwise, everything seems equally urgent. Practically, you need at least two metrics: impact and likelihood.

For SMBs, a scale of 1–3 or 1–5 often suffices. The most important thing is not mathematical precision but that the team understands what the numbers mean. If the model is too complicated, assessment slows down and results vary between assessors.

Here is a practical example of a 1–3 scale:

Score	Impact	Likelihood
1	Minor disruption, impact less than 4 hours or low cost	Unlikely, occurs less than once every 3 years
2	Disruption affects customers or internal work 1–2 days	Possible, might happen once every 1–2 years
3	Serious disruption, customer impact, data leak, or business interruption over 2 days	Likely, can happen multiple times per year

Risk score can be calculated as:

risk = impact x likelihood

This gives a clear prioritization:

Risk Score	Interpretation	Action
1–2	Low	Monitor as part of normal operations
3–4	Medium	Plan controls and assign owners within 30 days
6–9	High	Initiate actions immediately and monitor progress at least monthly

Tip

If you can’t agree on scores within 5 minutes, first document the reasons verbally. Often disagreements arise because impacts on customers and internal operations get confused.

Which Risks Should an SMB Identify First?

The first assessment should not become a brainstorming session listing hundreds of possible threats. A better approach is reviewing a few standard topics where SMBs typically find their most relevant risks.

Start with these risk categories, for example:

access rights not revoked when employment ends
missing multifactor authentication on critical services
backups not tested regularly
devices not encrypted or updated on time
strong supplier dependence without alternative solutions
staff poor at recognizing phishing messages
information scattered without clear owners

A concrete example of a single risk:

Risk	Impact	Likelihood	Score	Control Measure	Responsibility	Deadline
Ex-employee account remains active in SaaS service	3	2	6	Offboarding process, checklist, and account removal within 24 hours	IT Manager	14 days

Ask yourself and your team directly:

In what situation would a customer first notice that information security failed?
Which single mistake would stop work tomorrow?
Where are we reliant on a single person or supplier?

These questions often reveal more relevant risks than general brainstorming lists.

Appoint the assessment team and decide initial scope

Include at least a business owner, an IT-savvy person, and, if needed, quality or data protection officer. Keep the group small, usually 3–5 people suffice. Document if the assessment covers the whole company or, for example, one service or customer environment.

List key information, systems, and dependencies

Create an initial map on one page or table. Record at least key information, the systems processing it, owners, and external suppliers. If this listing takes more than 90 minutes, the scope is probably too broad.

Identify 10–15 initial risks using standard categories

Review access rights, devices, cloud services, backups, staff, suppliers, and incidents. The goal is not a complete list but a manageable initial set. For most SMBs, 10–15 risks is enough for the first round.

Score risks using the same model and select 3–5 most important

Use one agreed scale, for example impact 1–3 and likelihood 1–3. Calculate scores, rank risks, and together select the top 3–5 for follow-up. If all risks seem high, your evaluation criteria are too vague.

Decide controls, owners, and review cadence

Every high risk needs a concrete action, responsible owner, and deadline. For example, enabling MFA within 30 days or weekly checks on revoked access rights. Agree to review the risk list at least quarterly and after any major change.

Common Mistakes at the Start

The first mistake is documenting too much before the shared approach is clear. If you spend weeks polishing templates but make no risk decisions, the work won’t improve security yet.

Another common mistake is leaving business out of the assessment. IT alone does not always know what is most critical to the customer. That’s why at least one business representative must participate in scoring.

Avoid especially these:

overly broad scope in the first round
unclear scoring that different people interpret differently
listing risks without owners and deadlines
copying control measures directly from templates without own justification
conducting assessment only once a year without follow-up between

Warning

A frequent pitfall is recording controls as just “improve guidance.” Without an owner, deadline, and measurable results, this often gets left undone. Instead, specify something like: “MFA enabled for all admin accounts within 30 days.”

How to Make Risk Assessment Part of Everyday Work?

A good ISO 27001 risk assessment is not a one-off Excel file but part of management. Practically, this means linking risks to changes, incidents, and management reviews. When a new system is deployed or supplier changes, update the risk list accordingly.

In SMBs, a light but regular rhythm works well. You don’t need a heavy governance model as long as responsibilities, schedules, and monitoring are clear.

An effective monthly or quarterly rhythm might look like this:

Activity	Frequency	Duration	Responsibility
High risk status review	Monthly	15–30 min	Risk owners
Full risk list review	Quarterly	60 min	Responsible person + key staff
Update after changes	As needed	30–60 min	Change owner
Management summary	2–4 times per year	15 min	Security officer

If you use Tietoturvapankki, recording risks, ownership, and monitoring happen all in one place. This particularly helps avoid the assessment depending on one person’s memory or scattered files.

Yhteenveto

Start small: limit your first scope so you can cover it within 2–4 weeks.
Use a simple and consistent scoring system, for example impact 1–3 and likelihood 1–3.
Identify 10–15 risks first, and prioritize the 3–5 most critical into concrete actions.
Each significant risk must have an owner, deadline, and measurable control.
Update the risk assessment regularly and whenever systems, suppliers, or operations change.

Need help with information security management?

Our experts will help you move forward.