What is ISO 27001 Clause 6.1.2 in ISO 27001?
ISO 27001 Clause 6.1.2 requires a documented process to identify and assess security risks. You must define risk owners and evaluate likelihood and impact levels. This process should reside in business tools like SharePoint or Jira. It ensures risk management remains a core part of your daily operations.
Auditor’s Eye: The Shortcut Trap
Many firms rely on automated SaaS platforms to generate risk registers. This often leads to surface-level compliance. Auditors find that staff cannot explain the risks the software identifies. We prefer seeing risk data in your native document repositories. Using SharePoint or Jira proves management ownership. It shows that your team actually performed the assessment. A green tick in a black box tool is not evidence of intent.
| Feature | ISO 27001:2013 | ISO 27001:2022 |
|---|---|---|
| Risk Identification | Focus on assets or threats. | Emphasis on business-related risks. |
| Risk Owners | Must be assigned. | Must have authority to manage the risk. |
| Methodology | Repeatable process required. | Must align with the organisational context. |
How to Implement ISO 27001 Clause 6.1.2 (Step-by-Step)
The core requirement is establishing a repeatable process for identifying and evaluating security risks. You must document this methodology and its results within your internal business tools. This ensures the process is a cultural habit rather than a software installation. Follow these steps to ensure compliance.
Step 1: Document Your Methodology
Create a risk assessment procedure in SharePoint. Define how you measure likelihood and impact. Use a 3×3 or 5×5 matrix. Specify what levels of risk require immediate action. Ensure senior management approves this criteria.
Step 2: Identify Risks in Context
Review your organisational context from Clause 4.1. List threats to confidentiality, integrity, and availability. Use a Jira project to track these as individual issues. This allows for clear comments and updates from stakeholders. It integrates risk identification into your technical workflows.
Step 3: Evaluate and Assign Ownership
Assess each risk using your defined scales. Assign a specific individual as the risk owner. Record these scores and owners in your register. Use the version history in your document system to prove ongoing review. This demonstrates human oversight to the auditor.
ISO 27001 Clause 6.1.2 Information Security Risk Assessment Audit Evidence Checklist
Auditors look for manual records and meeting minutes. They want to see that humans made the decisions. Provide the following items during your audit.
- Approved risk assessment methodology stored in SharePoint.
- Risk register showing likelihood and impact scores.
- List of risk owners with their assigned responsibilities.
- Meeting minutes from risk identification workshops.
- Evidence of risk evaluation results being communicated to management.
- Historical versions of the risk register proving regular reviews.
Relational Mapping
Clause 6.1.2 is the engine of the ISMS. It takes input from Clause 4.1 (Context) and Clause 4.2 (Interested Parties). The results directly feed into Clause 6.1.3 (Risk Treatment). You cannot select controls in Annex A without this assessment. It provides the justification for your Statement of Applicability.
Auditor Interview: Direct Process Management
Question: How did you identify the risks in this register?
Answer: We held workshops with department heads and recorded findings in Jira.
Question: Who decided on the likelihood and impact scores?
Answer: The risk owners determined the scores based on our SharePoint methodology.
Question: How do you track changes to your risk profile over time?
Answer: We use the version history in our centralised document management system.
Common Non-Conformities
| Non-Conformity | Cause | Auditor Perspective |
|---|---|---|
| Automated Complacency | Relying on SaaS tool defaults. | Major NC: No evidence of internal assessment. |
| No Risk Owners | Assigning risks to ‘The IT Team’. | Minor NC: Responsibility is not clearly defined. |
| Stale Risk Register | Failure to update risks annually. | Minor NC: Process does not reflect current reality. |
Frequently Asked Questions
How do I start an ISO 27001 risk assessment?
The bottom line is to define your criteria first. Establish scales for likelihood and impact in SharePoint. Identify your assets and the threats against them. Record these in a register. Assign a person to own each risk. This creates a solid foundation for your security system.
What is the difference between analysis and evaluation?
Risk analysis involves identifying threats and assigning scores. Risk evaluation compares those scores against your risk appetite. You decide which risks need treatment based on this comparison. Document this decision process in your meeting minutes. This shows auditors that you are making informed choices.
How often should I review my risk assessment?
You should review your assessment at least once a year. Significant business changes also require an immediate review. Record these updates in your version-controlled risk register. This proves to auditors that your ISMS is living and active. Use internal alerts to prompt these reviews.