Risk management is often described as the heart of an information security management system. In the context of ISO 27001, this statement is not merely figurative — it is structural.
Yet many organisations continue to associate risk management solely with the certification process. They implement it as a formal requirement, rather than as a central decision-making mechanism.
ISO 27001 proposes precisely the opposite. Risk management is not an add-on to the security system, but rather its starting point.
What Does Risk Management Mean According to ISO 27001?
Managing risk within the scope of ISO 27001 involves identifying events that may affect information assets and assessing two fundamental dimensions:
- probability of occurrence
- impact on the business
The combination of these two criteria determines the severity of the risk.
From the outset, the standard introduces an essential principle: there is no such thing as zero risk. There is residual risk — the risk that remains after security controls have been implemented.
The objective is not to eliminate risk entirely, but to reduce it to a level that is acceptable to the organisation, in line with its risk appetite.
This point is often misunderstood. In reality, maturity begins precisely here.
Establishing Context in ISO 27001: The Decisive Step
Before identifying risks, the organisation must establish the context.
At this stage, the following elements are defined:
- the scope of the management system
- impact and probability criteria
- the acceptable level of risk
- business objectives
One of the most common mistakes is defining a scope that is too broad, making the process overly complex and difficult to manage. Another recurring mistake is attempting to reduce risk to zero, thereby creating unrealistic expectations.
ISO 27001 stands out for offering flexibility. It can be adapted to different organisational realities, but this flexibility requires conscious decisions aligned with business strategy.
Risk Identification and Analysis in ISO 27001
Risk identification can follow two approaches:
- asset-based approach, analysing risk for each asset
- event-based approach, analysing events that may affect multiple assets
In practice, the event-based approach tends to be clearer and less complex.
This is followed by risk analysis, where probability and impact values are assigned. These metrics may be qualitative (such as low, medium, or high) or quantitative (based on financial estimates, annual incident frequency, or reputational impact).
Severity is then calculated and compared with the criteria defined during the context phase.
Risk Assessment and Treatment According to ISO 27001
After analysis, risks are prioritised and compared with the defined level of acceptance.
Risk treatment generally follows four possible strategies:
- avoid the risk
- mitigate or reduce the risk
- transfer the risk
- accept the risk
Each strategy can be understood as follows:
- Avoiding may involve discontinuing an asset or activity whose associated risk is not justifiable.
- Mitigating involves reducing probability or impact through the implementation of controls.
- Transferring may include outsourcing activities or taking out insurance.
- Accepting is a conscious decision taken when the risk is already within the acceptable level.
ISO 27001 includes, in Annex A, a set of controls that organisations may select. Not all controls are mandatory, but any exclusion must be properly justified.
This balance between structure and flexibility is one of the reasons why the standard is widely adopted.
Continuous Risk Monitoring and Review
Risk management under ISO 27001 does not end with the implementation of controls. A mandatory monitoring and review phase ensures that performance indicators are defined to assess the effectiveness of implemented measures.
For example:
- reduction in the number of exposed credentials
- decreased likelihood of incidents
- improved response time
Certification involves periodic audits and formal cycles; however, the process itself is continuous. Threats evolve, infrastructure changes, the business adapts — and the management system must evolve accordingly.
Treating risk management as a closed project is a common mistake.
Common Mistakes in Implementing ISO 27001
Among the most frequent errors are:
- inadequate definition of scope
- attempts to achieve zero risk
- lack of continuous review
- exclusive focus on certification
Some organisations pursue certification for legitimate reasons, such as strengthening credibility with customers and partners — and that is entirely understandable.
The problem arises when certification is viewed as an endpoint rather than a starting point.
ISO 27001 as a Holistic Approach to Security
An often underestimated aspect of ISO 27001 is that it extends beyond technology. Risk management covers technological assets, data, people, processes, and policies.
Attacks such as phishing demonstrate that risk is not purely technical, as it also involves human behaviour and organisational practices.
The standard adopts a holistic approach, integrating governance, technology, and organisational culture. This comprehensiveness makes it one of the most complete references in the field.
Measuring the Return on Investment in Security
Although not always required, it is possible to estimate the return on investment (ROI) in security by comparing mitigation costs with the potential cost of an incident.
This assessment may include:
- operational downtime
- data loss
- reputational damage
- potential regulatory sanctions
While not an exact science, this approach frames risk management as a strategic decision rather than merely a technical necessity.
From Standard to Practice: What This Means for the Organisation
Implementing risk management in accordance with ISO 27001 is not an isolated exercise or a document filed away for compliance purposes. It is a living process that must evolve alongside the organisation.
It requires management involvement, internal interviews, asset identification, clear definition of responsibilities, and sustained commitment.
Certification may represent an important milestone. However, true maturity is measured by the organisation’s ability to understand its risks, align them with its defined appetite, and continuously review its controls.
It is this transition from standard to practice that distinguishes mere compliance from true maturity.
