How often should assessments occur?

Assessments must happen at planned intervals or when significant changes occur. Use Jira to schedule these reviews. The frequency depends on your specific business context and threat profile. Auditors look for consistency in your review schedule and evidence of manual intervention.

Why use internal tools for risk assessments?

Using SharePoint or Confluence proves management ownership of the risk process. Native tools keep security integrated with daily workflows. This prevents security from becoming a separate silo. Auditors prefer seeing internal version history over generic reports from automated SaaS compliance platforms.

ISO 27001 Clause 8.2 Guide: Executing Information Security Risk Assessments

Q: What is Clause 8.2 in ISO 27001?

ISO 27001 Clause 8.2 requires organisations to perform information security risk assessments at planned intervals. You must execute this documented process using business-as-usual tools. Record results in native repositories like SharePoint. This ensures risk management remains an active part of your daily operations.

What is ISO 27001 Clause 8.2 in ISO 27001?

ISO 27001 Clause 8.2 requires performing information security risk assessments at planned intervals. You must execute this documented process using business-as-usual tools. Record the results in native repositories like SharePoint or Jira. This ensures risk management remains an active part of your daily operations and organisational culture.

Auditor’s Eye: The Shortcut Trap

Automated SaaS platforms often provide a false sense of security for Clause 8.2. These “black box” tools generate generic risks that staff rarely review. Auditors look for human intent and management ownership. We prefer seeing evidence within your native document repositories. Using SharePoint versioning shows that people actually performed the assessment. Reliance on automated platform reports often suggests a lack of genuine security culture.

Requirement Aspect	ISO 27001:2013	ISO 27001:2022
Assessment Trigger	Planned intervals.	Planned intervals or when changes occur.
Evidence Type	Retain results.	Retain documented information of results.

How to Implement ISO 27001 Clause 8.2 (Step-by-Step)

Execute risk assessments at defined intervals to ensure your security posture remains current. You must use existing tools to document the assessment results and owner participation. This approach ensures security stays integrated into your daily business operations. Follow these steps for an auditor-ready implementation.

Step 1: Schedule Your Reviews

Establish a recurring task in Jira or your project tool. Set intervals based on your organizational risk appetite. Include triggers for major business changes or security incidents.

Step 2: Convene Assessment Workshops

Host review sessions with asset owners and department heads. Use Confluence to record these discussions in real time. Focus on identifying new threats and evaluating existing controls. Active participation proves management ownership to an auditor.

Step 3: Update the Risk Register

Log all findings in your central SharePoint risk register. Ensure you record the assessment date and the participants. Use version control to track how risks change over time. This creates a transparent audit trail of your security activities.

ISO 27001 Clause 8.2 Information Security Risk Assessment Audit Evidence Checklist

Prepare manual records that demonstrate human oversight and intent. Auditors focus on the following items during the certification process.

Dated risk assessment reports stored in SharePoint libraries.
Minutes from risk workshops recorded in internal wikis or Confluence.
Version-controlled risk registers showing periodic updates.
Jira task history showing completion of scheduled risk reviews.
Evidence of risk owner approval for assessment results.

Relational Mapping

Clause 8.2 is the operational execution of Clause 6.1.2. It identifies risks that you must treat in Clause 8.3. The results also influence your Clause 9.3 management review. This clause connects your planning phase to your actual security operations.

Auditor Interview: Verifying the Process

Question: How do you know when to perform a risk assessment?

Answer: We follow a defined schedule managed through our Jira system.

Question: Where do you store the results of your latest assessment?

Answer: Results are recorded in our version-controlled SharePoint risk register.

Question: How are department heads involved in this activity?

Answer: They participate in workshops and approve the findings in Confluence.

Common Non-Conformities

Failure Type	Description	Auditor Finding
Automated Complacency	Relying on SaaS platform defaults without review.	Major: Lack of internal procedural evidence.
Stale Data	Register has not been updated for two years.	Minor: Failure to assess at planned intervals.
Missing Triggers	No assessment performed after a major merger.	Minor: Failure to assess during business changes.

Frequently Asked Questions

What is the bottom line for Clause 8.2?

The bottom line is that assessments must occur regularly. You must document the results in your native tools. This proves the organisation owns the risk process. Avoid relying on black-box software for your evidence. Manual records in SharePoint provide the strongest proof of compliance.

How does a change trigger an assessment?

Changes in technology or staff can create new vulnerabilities. You must evaluate these risks before the change is complete. Document this evaluation in your SharePoint change management logs. This shows auditors that security is part of your change process. Active reviews prevent security gaps.

How can Jira assist with risk assessments?

Jira manages the workflow of the assessment process. It tracks tasks from identification through to management approval. You can link these tickets to your Confluence meeting notes. This creates a linked ecosystem of evidence. Auditors appreciate the clear oversight this provides.

LA CASA DE CERTIFICACIÓN