HomeResourcesBlogISO 27001
🌍 ISO 27001🛡️ Information Security🚀 Startup Guide

Risk Assessment in ISO 27001 — How It Works Step by Step

The risk assessment is the engine of the ISMS. It determines which controls you need, what resources to invest, and where your security programme focuses its energy. Here is the step-by-step methodology — from asset identification to risk treatment decisions.

SS
Soham Sawant
✍️ Cybersecurity Expert & Technical Writer·📖 9 min read
📅 April 2026·🏢 SecComply
ISO 27001 risk assessment methodology step by step

Risk assessment is not a one-time exercise. It runs at least annually, and whenever a significant change occurs — new product, new vendor, new market, new threat.

Risk Assessment Methodology — 4-Step Process01IDENTIFYAssets, threats, vulnerabilities02ASSESSLikelihood × Impact = Risk Score03TREATMitigate, accept, transfer, avoid04MONITORReview, update, improveIDENTIFY → ASSESS → TREAT → MONITOR → REPEATFor a typical startup, expect 40-80 identified risks across data breaches, unauthorised access, service disruption, vendor failures, and human error.
In This Article
Why Risk Assessment MattersThe Risk Assessment MethodologyStep 1: Asset IdentificationStep 2: Threat and Vulnerability AnalysisStep 3: Likelihood and Impact ScoringStep 4: Risk TreatmentThe Risk RegisterCommon Risks for StartupsKeeping It AliveFAQ

The risk assessment is the engine of your ISMS. Everything else — your controls, your policies, your audit programme — flows from the risks you identify and how you decide to treat them. ISO 27001 Clause 6.1.2 requires a documented risk assessment methodology that is repeatable, produces consistent results, and identifies risks to the confidentiality, integrity, and availability of information. Here is how it works, step by step.

Why Risk Assessment Matters

Without a risk assessment, your security programme is guesswork. You are implementing controls because they seem important or because a vendor sold them to you — not because they address your actual risks. The risk assessment gives your ISMS its direction: it tells you where to invest, what to prioritise, and what you can reasonably accept.

Auditors will check three things about your risk assessment: Is the methodology documented? Are the results consistent and reproducible? Do your controls actually trace back to identified risks? If any of these fail, the risk assessment is a finding — and without a valid risk assessment, the entire ISMS foundation is questionable.

The Risk Assessment Methodology

ISO 27001 does not prescribe a specific methodology — it requires that you define one, document it, and apply it consistently. The most common approach for startups is a qualitative asset-based methodology with a likelihood-impact scoring matrix. Here are the four steps:

Step 1 — Asset Identification

List every information asset within your ISMS scope. An information asset is anything that has value to the organisation and could be compromised. Categories include:

  • Data assets: Customer databases, source code repositories, employee records, financial data, API keys, credentials
  • Software assets: Production applications, internal tools, SaaS subscriptions, development environments
  • Hardware assets: Servers (cloud instances count), laptops, mobile devices, network equipment
  • People assets: Key personnel with critical knowledge or access — the bus factor
  • Service assets: Cloud infrastructure (AWS, Azure, GCP), third-party APIs, email platforms, CRM

For each asset, assign an owner — the person accountable for its security. Asset ownership drives accountability throughout the ISMS.

Step 2 — Threat and Vulnerability Analysis

For each asset, identify the threats it faces and the vulnerabilities that could be exploited. A threat is something that could go wrong; a vulnerability is the weakness that allows it.

AssetThreatVulnerability
Customer databaseUnauthorised accessWeak access controls, no MFA
Source codeData exfiltrationOverly permissive repository access
Production serverService disruptionNo redundancy, single point of failure
Employee laptopMalware infectionNo endpoint protection, outdated OS
API keysCredential theftKeys stored in source code or plaintext
Cloud infrastructureMisconfigurationDefault settings, no configuration baseline

Step 3 — Likelihood and Impact Scoring

For each risk scenario (asset + threat + vulnerability), score the likelihood of the threat materialising and the impact if it does. Multiply to get a risk score.

ScoreLikelihoodImpact
1Rare — unlikely to occur in 3 yearsNegligible — minimal disruption, no data loss
2Unlikely — could occur once in 3 yearsMinor — short disruption, limited data exposure
3Possible — could occur once per yearModerate — significant disruption, some data loss
4Likely — expected to occur multiple times per yearMajor — extended outage, significant data breach
5Almost certain — expected to occur frequentlyCritical — business-threatening, regulatory penalties

Risk Score = Likelihood × Impact. Scores of 1-8 are typically low risk (accept or monitor). Scores of 9-16 are medium (implement controls). Scores of 17-25 are high or critical (immediate action required). Define your risk appetite — the threshold above which risks must be treated — and document it as part of your methodology.

Step 4 — Risk Treatment

For each risk above your risk appetite threshold, choose a treatment option:

  • Mitigate: Implement controls to reduce likelihood, impact, or both. This is the most common treatment. Link each mitigation to a specific Annex A control.
  • Accept: Acknowledge the risk and document the decision, including the business rationale. Requires sign-off from the risk owner or management.
  • Transfer: Shift the risk to a third party — typically through insurance or contractual arrangements with vendors.
  • Avoid: Eliminate the activity that creates the risk entirely. Sometimes the right answer is to stop doing the risky thing.

The output is a Risk Treatment Plan — a documented plan showing which risks are being treated, how, by whom, and by when.

The Risk Register — Your Central Risk Document

The risk register captures every identified risk with its assessment and treatment decision. For each entry, document:

  • Risk ID and description
  • Asset affected and asset owner
  • Threat and vulnerability
  • Likelihood score, impact score, and risk score
  • Treatment decision (mitigate/accept/transfer/avoid)
  • Controls implemented (linked to Annex A)
  • Residual risk score (after treatment)
  • Risk owner and review date

Common Risks for Startups

Based on SecComply implementation data, the most commonly identified risks for SaaS startups include:

  • Unauthorised access to production systems due to insufficient access controls or missing MFA
  • Data breach through compromised vendor or third-party integration
  • Service disruption from single points of failure in cloud infrastructure
  • Credential exposure through secrets committed to source code repositories
  • Insider threat from overly permissive access rights or lack of access reviews
  • Phishing attacks targeting employees with access to sensitive systems
  • Data loss from inadequate backup procedures or untested restoration
  • Compliance violation from untracked regulatory requirements (DPDP, GDPR)

Keeping It Alive — Not a One-Time Exercise

The risk assessment is not a document you write once for certification and then file away. It must be reviewed and updated:

  • At least annually as part of the ISMS management review cycle
  • When significant changes occur — new product launch, new market, new vendor, organisational restructuring, major incident
  • When the threat landscape changes — new vulnerability classes, new attack techniques, new regulatory requirements
  • After security incidents — each incident is a data point that may change likelihood or impact scores

The risk register should be a living document with a named owner and a defined review cadence. For the full picture on what an ISMS encompasses, see our What Is an ISMS guide.

Ready to Start Your ISO 27001 Journey?

SecComply helps Indian startups and global enterprises implement ISO 27001 from gap assessment to certification — with realistic timelines and fixed-scope engagements.

Book a Free ISO 27001 Consultation →

Frequently Asked Questions

Does ISO 27001 prescribe a specific risk assessment methodology?

No. ISO 27001 Clause 6.1.2 requires a documented methodology that produces consistent, valid, and comparable results — but does not prescribe which methodology to use. The most common approach for startups is qualitative asset-based assessment with a likelihood-impact scoring matrix.

How many risks should a typical startup identify?

For a typical SaaS startup, expect 40-80 identified risks across categories like data breaches, unauthorised access, service disruption, vendor failures, and human error. The number depends on the complexity of your operations, the breadth of your ISMS scope, and the granularity of your asset inventory.

What is the difference between inherent risk and residual risk?

Inherent risk is the risk level before any controls are applied. Residual risk is the risk level after controls are implemented. Auditors will check that residual risk scores are documented and that any residual risk above the risk appetite threshold has been formally accepted by management with documented justification.

How often must the risk assessment be reviewed?

At minimum annually, but also whenever significant changes occur — new products, new vendors, organisational changes, major incidents, or changes in the threat landscape. The risk register should be a living document, not a point-in-time exercise filed away after certification.

What happens if a risk is above the risk appetite but we choose to accept it?

Risk acceptance above the threshold requires formal, documented sign-off from management or the risk owner. The acceptance must include the business rationale for why the risk is being accepted rather than treated. Auditors will review acceptance decisions and challenge those without adequate justification.