Short answer: ISO 27001 clause 6.1 requires you to assess information security risks against defined criteria, then treat them by selecting controls. You set the criteria first, apply a consistent method, record the results, and feed the selected controls into the Statement of Applicability. The risk assessment is the foundation everything else in the ISMS rests on.
Most failed ISO 27001 projects go wrong at the risk assessment, because teams reach for the control list before they understand their risk. The standard runs the other way: risk first, controls second. Clause 6.1 sets out how, and getting it right makes the Statement of Applicability and the audit far easier. This covers the criteria, the method, the treatment and the link forward.
What does ISO 27001 clause 6.1 require?
Clause 6.1 requires two connected processes. Clause 6.1.2 asks for an information security risk assessment process that identifies risks, analyses them and evaluates them against criteria you have defined in advance. Clause 6.1.3 asks for a risk treatment process that decides how to handle each risk and selects the controls to do it.
Both must be documented and both must be repeatable, so that if you run the assessment again you get comparable results. This is what stops risk assessment being a one off gut feel exercise. The output drives the Statement of Applicability (SoA), the risk treatment plan, and the objectives you set for the ISMS. It is the spine of the ISO 27001 management system, which is why the standard puts it in the planning clause rather than treating it as an afterthought.
How do you set ISO 27001 risk criteria?
Set them before you assess anything. Clause 6.1.2 asks you to establish and maintain risk criteria: your risk acceptance criteria, the threshold above which a risk must be treated, and your criteria for performing assessments, the scale and method you will apply. Defining these first is what makes results consistent and defensible.
Risk acceptance criteria state what level of risk the organisation is willing to tolerate. Assessment criteria define how you measure likelihood and impact, often on a scale that produces a risk rating. The mistake is scoring risks first and reverse engineering the criteria to fit, which an auditor will see through. Tie the criteria to your ISMS scope and the value of the information in it. Written down and applied the same way every time, the criteria turn subjective judgement into a process you can repeat and defend at audit.
What risk assessment method should ISO 27001 use?
The standard is deliberately silent on method. Clause 6.1.2 requires only that the process produces consistent, valid and comparable results. You choose the approach; two are common.
| Approach | How it works | Suits |
|---|---|---|
| Asset based | Identify information assets, then threats and vulnerabilities against each | Organisations with a clear asset inventory |
| Scenario based | Identify risk scenarios, then the assets and impacts each affects | Service and platform organisations, faster to run |
| Hybrid | Scenario led with asset detail where it matters | Most real world ISMS programmes |
The 2013 standard leaned toward asset based identification; the 2022 version removed that emphasis, so scenario based methods are now equally valid. Pick the one that fits how your organisation actually thinks about risk, define it, and apply it consistently. A method you can run repeatably beats a sophisticated one you apply once.
What is ISO 27001 risk treatment and how does it work?
Once risks are assessed and rated against your criteria, treatment decides what to do with each. The four standard options are to treat the risk by applying controls, tolerate it if it falls within your acceptance criteria, transfer it, for example through insurance or a supplier, or terminate the activity that creates it.
For risks you choose to treat, you select controls. Clause 6.1.3 then requires you to compare the controls you selected against Annex A, to check nothing necessary has been missed, and to produce a risk treatment plan with owners and timelines. The comparison result is recorded in the Statement of Applicability. This is the step teams skip: they build the Statement of Applicability straight from Annex A without a risk assessment behind it, and every control then traces to nothing. Do it in order and each control has a risk it answers to. Risk owners must accept the residual risk and the treatment plan.
How does the ISO 27001 risk assessment feed the ISMS?
It feeds almost everything downstream. The controls selected in treatment populate the Statement of Applicability and the risk treatment plan. The risk picture drives the internal audit programme, which weights attention toward higher risk areas. Residual risks and treatment progress are reviewed at the management review.
Crucially, the risk assessment is not a one time document. Clause 8.2 requires you to perform it at planned intervals and when significant change occurs. A risk assessment frozen at the date of certification is a common surveillance finding, because the threat and asset picture always moves, new systems, new suppliers, incidents that reveal a gap. Keep it living and the rest of the ISMS stays current with it. If you want the risk assessment and treatment built correctly the first time, Cybernion runs ISO 27001 risk assessment and readiness. The ISO 27001 readiness checklist is a useful companion, and Annex A controls explained covers the controls your treatment will select from.
Frequently asked questions
Is a risk assessment mandatory for ISO 27001?
Yes. Clause 6.1.2 requires an information security risk assessment process, and clause 6.1.3 requires a risk treatment process. Both must produce documented results. The risk assessment is the foundation the rest of the ISMS, including the Statement of Applicability, is built on.
What method should you use for ISO 27001 risk assessment?
The standard does not mandate a method. You choose one that produces consistent, comparable and repeatable results. Asset based and scenario based approaches are both common. What matters is that you define your criteria first and apply them the same way every time.
What is the difference between ISO 27001 risk assessment and risk treatment?
The risk assessment identifies and evaluates risks against your criteria. Risk treatment decides what to do about each one, treat, tolerate, transfer or terminate, and selects controls. Treatment produces the risk treatment plan and drives the Statement of Applicability.
How does the ISO 27001 risk assessment link to the Statement of Applicability?
The controls you select during risk treatment are compared against Annex A, and the result is recorded in the Statement of Applicability, which marks each Annex A control applicable or not with a reason. The risk assessment comes first; the Statement of Applicability records the outcome.
How often should you review the ISO 27001 risk assessment?
At planned intervals and when significant change occurs, a new system, a new threat, an incident or a change of scope. A risk assessment left static after certification is a common surveillance audit finding, because the risk picture always moves.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, clause 6.1 (Actions to address risks and opportunities), iso.org, 2022
- ISO/IEC 27005:2022, Guidance on managing information security risks, iso.org, 2022
Last updated: 3 July, 2026