The Risk Assessment Problem Nobody Warns You About
You decided to pursue ISO 27001 certification. Maybe a client asked for it, maybe you want to win government contracts, or maybe you just want to prove your business takes information security seriously. So you downloaded a risk assessment template, opened it up, and felt your stomach drop.
On this page
Columns for threat actors, vulnerability scores, likelihood ratings, impact matrices, residual risk calculations. It reads like something written by a security engineer for other security engineers. If you run a 15 person accountancy firm in Manchester or a small software company in Bristol, none of it feels remotely relevant to your day to day reality.
Here is the truth: the risk assessment is the single most important part of ISO 27001, and it is also the part that trips up the most small businesses. But it does not need to be as complicated as most templates make it look. This guide will walk you through exactly how to approach it as a non-technical business owner, without needing a cybersecurity degree or a full time IT department.
What ISO 27001 Actually Requires From Your Risk Assessment
Before diving into how to do it, it helps to understand what the standard actually asks for. ISO 27001 Clause 6.1.2 requires you to establish and apply a process for information security risk assessment. That process needs to define risk acceptance criteria, identify risks related to the loss of confidentiality, integrity, and availability of information, analyse those risks, and evaluate them against your criteria.
Notice what it does not say. It does not say you need a specific software tool. It does not say you need to use a particular scoring methodology. It does not say you need a dedicated security team. The standard gives you significant flexibility in how you approach this, which is actually good news for smaller businesses.
What auditors are looking for is evidence that you have thought seriously about what could go wrong with your information, that you have a consistent method for assessing those risks, and that you have made deliberate decisions about what to do about them. That is a management activity, not a technical one.
Start With What You Actually Have: The Information Audit
Before you can assess risks to your information, you need to know what information you actually hold and where it lives. This is called scoping your information assets, and it is the foundation everything else builds on.
Mapping Your Information Assets
Sit down with a blank piece of paper or a simple spreadsheet and ask yourself these questions about your business. What types of information do we handle? Think about customer data, employee records, financial information, contracts, intellectual property, passwords, and any regulated data like health records or payment card information.
Where does that information live? Consider your email system, your file server or cloud storage, your accounting software, your CRM, physical filing cabinets, USB drives, laptops, and mobile phones. Who has access to each type of information? This includes staff, contractors, IT support providers, and any cloud software vendors.
You do not need an exhaustive technical inventory. A straightforward list of your main information types and where they are stored is enough to get started. For most UK SMEs, this list will have between ten and thirty entries.
Assigning Information Owners
For each asset or category of information, assign an owner. This is simply the person in your business who is responsible for that information. The owner of your customer database might be your sales manager. The owner of your financial records might be your finance director or you as the business owner. This ownership concept matters because risk assessment decisions should be made by people who understand the business value of the information, not just the technical people who manage the systems.
Understanding the Three Things That Can Go Wrong
ISO 27001 frames information security risks around three concepts: confidentiality, integrity, and availability. Understanding what these mean in plain English will make your risk assessment much easier to complete.
Confidentiality means keeping information away from people who should not have it. A confidentiality breach is when customer data gets sent to the wrong person, an employee accesses files they should not see, or a hacker steals your client list.
Integrity means keeping information accurate and unaltered. An integrity breach is when someone changes a contract without authorisation, a software bug corrupts your financial records, or an attacker modifies data in your system without you knowing.
Availability means being able to access information when you need it. An availability breach is when ransomware locks you out of your files, your server crashes and you cannot access client records, or a key employee leaves and takes the only copy of critical documents with them.
When you look at each information asset on your list, simply ask: what could cause a confidentiality, integrity, or availability problem for this information? That question is the heart of your risk identification process.
A Simple Risk Assessment Method That Actually Works for SMEs
There are many risk assessment methodologies out there. Some are extremely detailed and designed for large enterprises with dedicated security teams. For a UK SME working toward ISO 27001 for the first time, you need something that is rigorous enough to satisfy an auditor but practical enough to actually complete.
The Likelihood and Impact Approach
The most straightforward method uses two variables: how likely is this risk to occur, and how bad would the impact be if it did? You rate each on a simple scale, typically one to three or one to five, and multiply them together to get a risk score.
Using a one to three scale: a rating of one means low, two means medium, and three means high. A risk with likelihood two and impact three gives you a score of six. A risk with likelihood one and impact one gives you a score of one. This simple calculation gives you a way to prioritise which risks need the most urgent attention.
The important thing is that you apply your scale consistently across all risks. Document what each rating means in your business context. For example, high likelihood might mean the event could realistically happen once a year or more. High impact might mean it could cause significant financial loss, regulatory penalty, or serious damage to your reputation.
Working Through a Practical Example
Take a common scenario: your sales team uses a shared email account to communicate with clients, and that account contains sensitive proposal documents and pricing information.
The information asset is the shared email account and its contents. Potential confidentiality risks include a staff member accidentally forwarding emails to the wrong client, a former employee retaining access after leaving, or the account being compromised through a weak password. Potential integrity risks include someone deleting important email threads. Potential availability risks include the account being locked due to a forgotten password or a provider outage.
For each of these, you rate likelihood and impact, calculate a score, and then decide what to do about it. The decision about what to do is called your risk treatment decision, and we will cover that next.
Risk Treatment: What You Actually Do About the Risks You Find
ISO 27001 gives you four options for treating any risk you identify. You can modify the risk by implementing controls to reduce it. You can retain the risk by accepting it as is, usually because the cost of addressing it outweighs the potential harm. You can avoid the risk by stopping the activity that creates it. Or you can share the risk by transferring it to a third party, such as through insurance or a contractual arrangement with a supplier.
For most risks identified by small businesses, the answer will be to modify them by putting controls in place. This is where Annex A of ISO 27001 comes in. Annex A contains 93 controls across four categories: organisational controls, people controls, physical controls, and technological controls.
You Do Not Need to Implement All 93 Controls
This is one of the most common misconceptions among first time ISO 27001 applicants. You do not need to implement every single control in Annex A. What you need to do is go through the list, decide which controls are applicable to your business given the risks you have identified, and document your reasoning for any controls you have excluded. This document is called the Statement of Applicability.
For a small professional services firm, many of the more technical controls around network segmentation or cryptographic key management may genuinely not apply to your environment. That is fine, as long as you can explain why. An auditor will not penalise you for excluding a control if your business context makes it irrelevant. They will penalise you for not being able to justify your decisions.
Practical Controls That Most SMEs Should Have
Regardless of your specific risk assessment results, there are some controls that almost every small business will need. Strong password policies and multi factor authentication for all business systems. A clear process for removing access when staff leave. Regular backups that are tested to confirm they actually work. A policy for using personal devices for work purposes. Basic training for all staff on recognising phishing emails. A procedure for reporting and responding to security incidents.
These are not technically complex to implement. They are management and process decisions that you as a business owner can make and document without needing a technical background.
Documenting Your Risk Assessment: What You Need to Keep
ISO 27001 requires you to retain documented information about your risk assessment process and results. In practical terms, this means keeping your risk register, your risk assessment methodology document, your risk treatment plan, and your Statement of Applicability.
Your risk register does not need to be a sophisticated tool. A well structured spreadsheet works perfectly well. Each row represents a risk, with columns for the asset affected, the risk description, your likelihood rating, your impact rating, your risk score, your treatment decision, the control you have chosen to apply, and the owner responsible for implementing that control.
Keep it updated. Risk assessment under ISO 27001 is not a one time exercise. You need to review your risk register at planned intervals and whenever significant changes occur in your business, such as adopting new software, taking on a major new client, or changing how you store data.
Common Mistakes Non-Technical Owners Make and How to Avoid Them
Trying to Boil the Ocean
Many small businesses try to identify every conceivable risk and end up with a risk register containing hundreds of entries, most of which are either duplicates or so unlikely they are not worth worrying about. Focus on the risks that are realistic for your business size and sector. A ten person marketing agency does not need to assess the risk of a nation state attacking their infrastructure.
Copying Templates Without Adapting Them
Generic risk assessment templates are a starting point, not a finished product. An auditor will quickly spot a risk register that has been copied from a template without being tailored to your actual business. Every risk in your register should be something that genuinely applies to your organisation, your systems, and your people.
Treating It as a Technical Exercise
Risk assessment is a business decision making process. The best person to lead it is not necessarily your most technical person. It is the person who understands what information is most critical to your business, what the consequences of losing or exposing that information would be, and what resources are available to address the risks. That is often the business owner or a senior manager.
Forgetting About People and Physical Risks
Cybersecurity gets most of the attention, but ISO 27001 covers all information security risks. A visitor walking through your office and seeing sensitive documents on a desk is an information security risk. An employee sharing a password with a colleague is an information security risk. A laptop left on a train is an information security risk. Make sure your risk assessment covers physical and human factors, not just technical ones.
When Does It Make Sense to Get Help?
There is a real question about whether to tackle ISO 27001 entirely on your own or to bring in outside support. The honest answer is that it depends on your situation.
If your business has a relatively simple IT environment, a small team, and you have time to invest in learning the standard properly, a DIY approach supported by good templates and guidance can work. The DIY certification guide on CertBetter covers when this approach makes sense and when it tends to fall apart.
If your business handles particularly sensitive data, operates in a regulated sector, or you are working toward certification because a major client requires it within a specific timeframe, bringing in a consultant for at least the risk assessment phase is usually worth the cost. A good consultant will not do the risk assessment for you. They will guide you through the process, help you understand what the auditor will be looking for, and make sure your documentation is solid before you go anywhere near a certification audit.
The risk assessment is also not a good place to cut corners if you are working toward actual certification. Auditors spend significant time reviewing the risk assessment during both Stage 1 and Stage 2 audits. Weaknesses here tend to generate nonconformities that delay your certification.
Getting Your Risk Assessment Audit Ready
Before your certification audit, review your risk assessment against these questions. Does your methodology document explain clearly how you rate likelihood and impact? Does your risk register cover all the information assets you identified in your scoping exercise? Have you made a documented treatment decision for every risk? Does your Statement of Applicability reference your risk assessment results? Are your chosen controls actually implemented and can you demonstrate that? Have you reviewed and updated the risk register recently?
If you can answer yes to all of these, your risk assessment is in good shape. If you have gaps, address them before the audit. Stage 1 is largely a document review, so arriving with incomplete documentation is one of the most common reasons businesses are not ready to proceed to Stage 2.
Taking the Next Step
ISO 27001 risk assessment feels overwhelming at first because most of the available guidance is written for technical audiences. But the underlying process is a management activity that any thoughtful business owner can lead. Know what information you have, think clearly about what could go wrong with it, make deliberate decisions about what to do about those risks, and document your thinking consistently.
If you are at the point where you need to find the right consultant or certification body to support your ISO 27001 journey, CertBetter makes that process straightforward. Submit one form and receive up to three competing quotes from vetted providers who have been assessed for their ISO 27001 experience. It costs nothing and removes the time consuming process of researching and chasing providers individually. Whether you need full implementation support or just help getting your risk assessment right before your audit, comparing quotes from experienced consultants is a sensible first step.
