ISO 27001 risk analysis
DEKRA Audit Netherlands

What exactly does the ISO 27001 risk analysis entail?

ISO 27001 risk analysis

Organisations wanting to demonstrate that they take measures to secure information internally can request an ISO 27001 certification audit. If the company meets the ISO 27001 requirements it will be granted an ISO 27001 certificate. Part of the ISO 27001 certification audit is an assessment of the risk analysis. The auditor considers whether the organisation requesting the audit has identified the possible risks and associated control measures properly. DEKRA can perform this as an independent party.

Need for ISO 27001 risk analysis

The purpose of ISO 27001 is to implement a secure management system for information within the organisation. First it is important to map out the possible risks to determine which measures are needed to this end. That’s why risk analysis is the first step for an organisation requesting an ISO 27001 audit.
A good risk analysis reveals the possible threats and how the organisation can deal with them. This knowledge forms the basis for setting up the information security system (ISMS). A well-designed ISMS is one of the ISO 27001 requirements. ISO 27002 – a broadening and deepening of ISO 27001 – contains security measures which form the basis for setting up and performing the risk analysis.

Content of ISO 27001 risk analysis

No two risk analyses are the same. Among other things, the specific content of a risk analysis depends on the organisation’s activities. It is important that the same methodology is always used for the risk analysis. The scope of the certification also plays a role. In some cases, a company may opt to only have some business units certified, rather than the entire organisation. The following aspects are always included in the risk analysis:
  • a detailed list of potential risks for each business
  • a list of those responsible for each risk
  • the probability of a threat occurring
  • a (measurable) summary of the impact if a threat occurs
  • a consideration of whether to accept the risk or take control measures
  • concrete control measures for each risk
  • the actions required to implement new control measures

ISO 27001 certification with DEKRA

The risk analysis for ISO 27001 forms the basis for a sound information security system. Would you like to know more about ISO 27001 and certification based on ISO 27001? Then take a look at our page on ISO 27001​.