ISO 27001 Risk Assessment. The foundation of your ISMS.
ISO 27001 requires a formal risk assessment before you can select controls. We design and conduct your information security risk assessment, produce your Statement of Applicability, and build a risk register that satisfies certification body requirements.
Six deliverables. One complete risk picture.
Risk Identification
Systematic identification of information security risks across your people, processes, technology, and physical environment using structured workshops and asset inventories.
Risk Analysis and Scoring
Each risk is analysed for likelihood and impact using a consistent scoring methodology that meets ISO 27001 clause 6.1.2 requirements and satisfies certification body expectations.
Risk Treatment Planning
For each accepted risk, we define a treatment option: mitigate, transfer, avoid, or accept. Each treatment is mapped to the relevant Annex A controls.
Statement of Applicability
We produce your Statement of Applicability documenting which Annex A controls are applicable, which are excluded, and the justification for each decision.
Risk Register Maintenance
A live risk register in your preferred format, structured for ongoing maintenance and ready for annual review cycles and surveillance audits.
Risk Owner Assignment
Each risk is assigned a named owner within your organisation, with clear accountability for treatment actions and review obligations.
From asset inventory to risk register. Six structured steps.
Asset Inventory
We work with your team to identify all information assets, including data, systems, applications, and physical assets, and assign asset owners.
Threat and Vulnerability Identification
For each asset, we identify relevant threats and vulnerabilities using industry threat libraries and your specific operational context.
Risk Scoring
Each risk is scored for likelihood and impact using your agreed risk criteria, producing a risk score that determines treatment priority.
Treatment Selection
We work with asset owners to select the appropriate treatment for each risk and map treatments to Annex A controls.
Statement of Applicability
We produce the Statement of Applicability, a mandatory ISO 27001 document listing all Annex A controls with applicability decisions and justifications.
Risk Register Handover
We deliver a complete risk register and Statement of Applicability, brief your team on ongoing maintenance, and prepare you for the ISMS design phase.
Organisations that needed a risk foundation. Before they built controls.
Fintech risk assessment programme
A UK fintech processing payment data needed a risk assessment that satisfied both ISO 27001 and FCA expectations. Our structured methodology produced a risk register covering 140 identified risks, with treatment plans mapped to Annex A controls and FCA SYSC requirements.
Private healthcare provider risk review
A private healthcare group processing patient records needed an ISO 27001 risk assessment that also addressed NHS DSP Toolkit requirements. Our dual-framework approach reduced duplication and produced a single risk register satisfying both standards.
Cloud-first SaaS risk assessment
A UK SaaS business with infrastructure entirely in AWS needed a risk assessment methodology suited to cloud environments. We adapted the ISO 27001 risk framework to address cloud-specific threats and produced a risk register their certification body accepted without modification.
A risk assessment that satisfies your certification body. First time.
Our ISO 27001 risk assessment produces a complete risk register, Statement of Applicability, and risk treatment plan. Everything your certification body needs to see at Stage 1 audit.