ISO 27001:2022 Clause 6.1.2: Information Security Risk Assessment

ISO27001-2022 Clause 6.1.2 Information Security Risk Assessment

The Definitive Governance Requirement.

Clause 6.1.2 mandates that you establish and maintain a repeatable information security risk assessment process. It is not enough to list your fears. You must deploy a defined methodology to identify risks, analyze their potential consequences, and evaluate them against established criteria.

The Mandate

The standard demands objectivity. You cannot rely on “gut feeling.” You must define and apply an information security risk assessment process that:

  1. Establishes Criteria: You must define your Risk Acceptance Criteria (what level of risk is the Board willing to tolerate?) and criteria for performing assessments.
  2. Identifies Risk: Pinpoint the risks associated with the loss of confidentiality, integrity, and availability of information. You must also identify the Risk Owners.
  3. Analyzes Risk: Assess the potential consequences (Impact) and the realistic probability (Likelihood) of these risks occurring.
  4. Evaluates Risk: Compare the calculated risk score against your acceptance criteria. Does this require treatment, or is it acceptable?

The Verdict: If your assessment produces different results when performed by different people, it is invalid. The process must be consistent, valid, and comparable.

The Implementation Strategy

Do not reinvent the wheel. Follow the logical flow of governance.

  1. Define the Criteria First: Before listing a single threat, define your “Impact Table.” What does a “Score of 5” mean financially? Is it £10k or £10m? Define your “Likelihood Table.” Is “High” once a week or once a year?
  2. The Identification Phase: Use an Asset-based or Scenario-based approach.
    • Asset-based: “What can go wrong with this Laptop?”
    • Scenario-based: “What happens if we suffer a Ransomware attack?”
  3. The Calculation: Apply your criteria. Impact × Likelihood = Risk Score.
  4. The Threshold: If the score exceeds your Acceptance Level (e.g., Score > 12), it triggers Clause 6.1.3 (Risk Treatment).

The Auditor’s Trap

[The Auditor’s View] The most common Major Non-Conformance here is “Subjectivity.” I often see Risk Registers where a “Meteor Strike” has the same likelihood score as “Phishing Email.” This proves the criteria are broken or the assessor is incompetent. Your math must reflect reality.

Required Evidence

An auditor needs to see the mechanics of your decision-making.

  • Risk Assessment Methodology: A formal document defining your criteria and scoring logic.
  • The Risk Register: The actual database of assessed risks.
  • Previous Risk Assessments: Evidence that the process is repeated at planned intervals or after significant changes.
  • Risk Owner Acceptances: Proof that the designated owners agree with the risk levels.

Strategic Acceleration

Creating a defensible scoring methodology is difficult. If your scales are off, you will either ignore critical threats or bankrupt the company fixing minor ones.

The Hightable™ Risk Assessment Tool comes with pre-calibrated Impact and Likelihood scales based on industry standards (ISO 27005). It removes the guesswork and ensures mathematical consistency.

The Next Move: Deploy the Assessment Tool