The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).

Within the context of ISO 27001, risk comes up as a topic all over the place. The standard itself, as most of ISO standards nowadays do, proclaims itself to be risk-driven. But what does this come down to? Not surprisingly, it is more than just having a workshop about “our risks and what to do about them”.

Let’s look into to subject of risk from a practical viewpoint.

Risk management - practical steps

1. Risk appetite

This is where it all starts. The management needs to define their and the company’s risk appetite. That is, how much “risk” are we going to accept before it simply is too much. What an easy thing to start with you may say! Essentially though, we are looking for a few philosophical sentences. We want to convey that there are certain areas where risk is encouraged, and certain areas where no risk should be taken. Usually these relate to the actual business – avoid messing with customer data, maybe allow some risk if related to expanding your own business.

2. Security objectives

While your security objectives may not be directly linked to risk, indirectly they are. Your objectives are most likely affected by the risk appetite and may be – at least partially – achieved by applying the appetite. Security objectives is a topic for a separate blog altogether, just be aware of the fact that objectives play a role here. For your risk managements sake, do ensure you have your objectives – let’s say the 10 most important things – defined.

3. Risk register

You start your risk register by just listing a long list of risks. Yes, ChatGPT can assist you in generating a very long list indeed, and if you chose to go down that path, remember you will just face a very long list to process down the line. Live and learn. Anyway, when you initialize the risk register, start by listing the risks – don’t worry about owners, action plans or impacts & probabilities just yet.

4. Risk methodology

This is most likely the easiest thing to get out of the way. It is natural to create this after the initial risk register has been initialized. This will guide you thru the next steps. The risk methodology should in almost all conceivable scenarios be an implementation of ISO31000. And because of that, there will be an abundance of reference materials to create this document from. As said, the most important part here is for you to understand what ISO31000 is about. The actual document is a copy-paste exercise.

5. Risk assessment

The assessment part is one practical aspect of ISO31000. Now it is time to assign an owner to the risk, assess its impact and probability. The next thing is to review your objectives – is this risk you have identified related to your objectives – in other words, may this risk have an impact on your security objectives? If yes, prioritize it accordingly. The methods for mitigating risk are listed in ISO27002, so now is a good time to also list all controls that will be applicable to mitigate this risk. Remember, mitigation IS NOT the same as elimination. You rarely want to eliminate risks, just make them small enough so as not to stand in the way of your objectives.

6. SoA - Statement of Applicability

As you now have touched the topic of ISO27002, it is good to realize that this is also the first step in prioritizing how much work should be put into each control. Controls related to risks (and thus also enabling the achievement of your objectives) are of course the most important ones. If you have already started to approach ISO27002 in a “top-to-bottom” manner, please stop now.

7. Assets

Of course, your objectives are most likely related to your assets – and so will your risks be. This is a good time to also map out which assets are the most risky ones in your company. Again, apply controls in your SoA to the assets as well. You may want to go back to the risk register and link the most important assets to your risks while you are at it.

Final words

So what have we achieved? We have a holistic approach to risk management, where you can now see that your identified risks and the way you want to mitigate them actually act as drivers for the management system, its objectives and its goals. Risk will drive all your activities. This approach will most likely also prohibit you from spending precious resources on things that are secondary in nature. In addition, your SoA has become a very practical governance tool.

And now, it all makes sense.

Elina Partanen

Risk management and ISO 27001

Do you seek ISO 27001 compliance? Thomas has blogged about starting points for ISO 27001 certification project. This blog unwraps the importance of risk management in pursuit of ISO 27001 certification.

Read More »


The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).

contact us

Please do contact us. We most likely respond faster than you thought,