ISO 27001 Risk Assessment Template: What a Certifiable Workflow Looks Like in 2026

ISO/IEC 27001:2022 was published on 25 October 2022 and is the governing certification standard for an Information Security Management System. The previous 2013 revision will be withdrawn on 31 October 2026, which means every active certificate must be transitioned by that date. The 2022 revision restructures Annex A from 114 to 93 controls, introduces eleven new controls including threat intelligence, cloud security, ICT readiness for business continuity, and physical security monitoring, and clarifies the risk methodology under Clause 6.1.

At the heart of every certifiable ISMS sits one document chain: the risk assessment methodology (Clause 6.1.2), the risk register, the risk treatment plan (Clause 6.1.3), and the Statement of Applicability that ties the chosen Annex A controls back to the identified risks. A template alone solves nothing; the auditor wants to see a workflow with version history, ownership, and review cadence. This article walks through the methodology, gives the structure of a defensible template, and shows how CIVAC ships the full chain as part of its Compliance Platform and Officer-as-a-Service offering. License the Workspace for your in-house officers, or have our officers appointed.

Clause 6.1 of ISO/IEC 27001:2022 sets out the planning requirements. The organisation shall determine the risks and opportunities that need to be addressed to ensure that the ISMS can achieve its intended outcomes. Clause 6.1.2 requires a documented information security risk assessment process that establishes and maintains risk acceptance criteria, ensures the process produces consistent, valid, and comparable results, identifies the risks, analyses them in terms of likelihood and consequences, and evaluates them against the criteria. Clause 6.1.3 covers the risk treatment process: selecting appropriate options, determining the controls that are necessary, comparing those controls with Annex A to verify no necessary control is omitted, producing a Statement of Applicability, and formulating a risk treatment plan.

Two phrases drive most audit findings. First, consistent, valid, and comparable results. If two assessors evaluate the same risk and reach materially different conclusions, the methodology fails. Scoring scales, asset categorisation, and the meaning of likelihood values must be written down and trained. Second, risk acceptance criteria. The board must approve, in writing, what level of risk the organisation is willing to accept. Without this signature, a treatment decision has no benchmark. The external Information Security Officer typically drafts and maintains the methodology, while the board ratifies it annually. In the CIVAC Workspace, the methodology lives next to the register, the treatment plan, and the Statement of Applicability, all version-controlled and auditable from a single screen, with a documented change history that withstands stage-2 scrutiny.

ISO/IEC 27005:2022 (issued October 2022) is the companion standard for risk management and the most common reference. It does not mandate a specific scoring scheme but recommends scenario-based thinking. Three families of methodology are mature. Qualitative approaches use ordinal scales such as low, medium, high, very high for likelihood and consequence. They are quick to implement, easy to explain, and well suited to small and mid-sized organisations. The 5x5 matrix remains the most widely used variant. Quantitative approaches assign monetary values to assets and probabilities to threat events, producing an Annualized Loss Expectancy. They demand a data-rich environment and are typical for financial services, critical infrastructure, and global SaaS providers.

Hybrid approaches combine ordinal scoring with monetary anchors for the top-tier risks. For most German Mittelstand companies, a hybrid 5x5 matrix anchored to revenue impact bands offers the right balance: fast to operate, defensible to auditors, and useful for board reporting. The methodology document should state the chosen approach, the scales, the calibration of each level (for example, likelihood 1 equals expected less than once every ten years), the asset taxonomy, the threat catalogue (BSI IT-Grundschutz, ENISA, ATT&CK), and the review frequency. CIVAC ships a pre-configured hybrid 5x5 methodology in the Workspace, with calibration tables, asset categories, and a threat catalogue mapped to ISO/IEC 27001:2022 Annex A. Internal teams adopt it as-is or fork it. Andere führen Compliance wie einen Aktenschrank. Wir führen sie wie Software. The methodology document is reviewed annually as part of management review, with the board signing off on changes before they take effect, and with a changelog visible to internal audit.

A risk register is the operational core. A defensible template has at least fourteen columns. ID for unique reference. Date opened. Asset (linked to the asset inventory under Annex A.5.9). Asset owner. Asset value tier. Threat (from the catalogue). Vulnerability. Existing controls. Inherent likelihood. Inherent consequence. Inherent rating. Risk treatment option (modify, avoid, share, retain). Selected controls (mapped to Annex A clause). Residual likelihood. Residual consequence. Residual rating. Risk owner. Acceptance date and signatory. Next review date.

Practically, three principles matter. First, one risk per row. A composite risk such as cyber attack covers everything and treats nothing. Break it into ransomware on file servers, phishing of finance staff, credential stuffing on the SaaS tenant. Second, traceability. Every risk must trace upward to an asset and downward to at least one control. Auditors test this by sampling. Third, residual ratings must change after treatment. If a risk has inherent rating 16 and residual rating 16, no treatment occurred. The CIVAC Workspace register supports linked records, change history, and overdue alerts at each review date. A single screen shows risks above the acceptance threshold, controls in implementation, and review backlog. The auditor calls, the evidence is ready. For background on the 2022 transition deadline see our ISO 27001:2022 transition update. The register exports as PDF, CSV, and audit-pack ZIP, all timestamped, signed by the risk owner, and ready to share with the certification body, internal audit or external counsel without manual rework.

Clause 6.1.3 requires the organisation to determine all controls that are necessary to implement the chosen risk treatment options, then to compare those controls with Annex A to verify that no necessary control has been omitted. The 2022 Annex A contains 93 controls grouped in four themes: organisational (A.5, 37 controls), people (A.6, 8 controls), physical (A.7, 14 controls), and technological (A.8, 34 controls). Eleven controls are new compared with the 2013 revision: threat intelligence (A.5.7), information security for cloud services (A.5.23), ICT readiness for business continuity (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), secure coding (A.8.28).

The risk treatment plan is the operational schedule that turns these decisions into deliverables. For each selected control, the plan states the responsible owner, the deadline, the resources, the dependencies, the success criteria, and the verification method. It is not a wish list; it is a managed project with milestones. The Statement of Applicability is the audit deliverable that combines the two views: for every one of the 93 Annex A controls, the SoA records whether it is included or excluded, the justification, the implementation status, and a reference to the policy or procedure that implements it. The CIVAC Workspace generates the SoA dynamically from the register and the treatment plan. Every change is timestamped, every owner is named, every reference is clickable. Audit-fest, dokumentiert, ISO-fest. The treatment plan ties each open action to a budget code, a quarterly review and a status indicator, so management review under Clause 9.3 reads from live data rather than from a frozen export.

The eleven new controls deserve dedicated attention because most certified organisations carry forward the 2013 SoA and rediscover gaps only weeks before the audit. Threat intelligence (A.5.7) requires structured collection and analysis of information about threats, often a subscription to a sector-specific ISAC plus internal SOC feeds. Cloud services (A.5.23) requires policies and acquisition controls for cloud use, in practice a documented cloud governance with shared-responsibility matrices per provider. ICT readiness for business continuity (A.5.30) reaches beyond traditional backup, requiring tested recovery procedures aligned with business impact analysis.

Physical security monitoring (A.7.4) extends Annex A.7 with continuous monitoring of facilities, typically through CCTV, intrusion detection, and a documented incident response. Configuration management (A.8.9) demands documented configurations for hardware, software, services, and networks. Information deletion (A.8.10) requires verifiable deletion of information no longer needed. Data masking (A.8.11) covers pseudonymisation and anonymisation in test environments. Data leakage prevention (A.8.12) requires controls against unauthorised disclosure. Monitoring activities (A.8.16) covers network and application logging with retention. Web filtering (A.8.23) targets URL filtering and malicious site blocking. Secure coding (A.8.28) requires secure development practices integrated into the SDLC. For each new control, the CIVAC Workspace provides a control owner, a maturity self-assessment using a four-point scale, a links-to-evidence section, and a review cadence ranging from monthly to annual depending on risk relevance. Many of the new controls overlap with NIS-2 § 30, so the same evidence can support two regulatory regimes if the workflow is built for cross-reuse. Bestellurkunde, unterschrieben, abgelegt, belegbar.

ISO/IEC 27001 is the de facto baseline for satisfying regulatory information security obligations in the EU. The NIS-2 directive, transposed in Germany via the NIS-2-Umsetzungsgesetz, applies to roughly 29,500 entities in essential and important sectors and requires risk management measures under § 30 BSIG with a 24-hour early warning and a 72-hour follow-up to the BSI. The Digital Operational Resilience Act (DORA), in force since 17 January 2025 for the financial sector, requires ICT risk management with documented register and stress testing. The German Federal Office for Information Security explicitly recognises ISO/IEC 27001 with IT-Grundschutz Profile as a valid foundation for NIS-2 risk management.

For organisations subject to both ISO certification and a sectoral regulation, two principles save effort. First, one risk register, multiple views. The same asset and threat data can be filtered for ISO 27001:2022, for NIS-2 § 30, for DORA Article 6, for the EU AI Act if generative AI is in scope. Second, common scales. If the ISMS uses a 5x5 matrix and the BCM uses traffic lights, integration is painful. Aligning the scoring vocabulary across ISMS, BCM, and operational risk pays off at the first management review. The CIVAC Compliance Platform and Officer-as-a-Service ships pre-configured cross-walks between ISO/IEC 27001:2022 Annex A and NIS-2 § 30, and supports a single register with regulation-specific views. License the Workspace for your in-house officers, or have our officers appointed. Der Prüfer ruft an, der Nachweis liegt bereit. The cross-walk also captures the BSI IT-Grundschutz mapping, so federal contractors can demonstrate ISO 27001 plus IT-Grundschutz with a single evidence set, reducing audit duplication.

Clause 5.3 requires top management to assign roles and responsibilities for the ISMS. Clause 9.3 requires management review at planned intervals. Together they define the governance loop. The Information Security Officer (ISB in German) owns the methodology, the register, and the treatment plan operationally. Asset owners own individual risks. Top management owns the acceptance criteria and the residual risk above the threshold. Internal audit (Clause 9.2) tests the operation of the ISMS independently. The certification body audits annually with a recertification every three years.

Review cadence is a judgement call but auditors expect a defensible schedule. A common pattern: quarterly review of high-rated risks, semi-annual review of medium risks, annual full register review tied to management review under Clause 9.3, ad-hoc review on material change (new system, M&A, incident). The CIVAC Workspace automates the cadence: each risk has a next review date, overdue items appear on a dashboard, the management review pack is generated from the live data, the certification audit pack is exported as a versioned ZIP. The reporting line from ISB to management is configured per organisation. CIVAC SLA for an external ISB appointment is two working days from instruction, compared with two to six weeks in traditional staffing markets. Aus dem Lesen einen Auftrag machen. Internal audit programs and external certification audits can run from the same evidence pool, with each finding linked back to a control, an owner, and a remediation timeline that all stakeholders can monitor.

Five findings appear in nearly every ISO 27001 stage-2 audit. First, the methodology is missing or generic. Auditors want a document that explains the chosen scales, the calibration, the asset taxonomy, the threat source, and the review schedule. A two-page methodology with calibration tables is preferable to a twenty-page essay. Second, the risk register is incomplete or stale. Risks without owners, without next review dates, or without residual ratings after treatment are red flags. Third, the SoA is inconsistent with the register. Controls marked as included in the SoA appear without corresponding risks; risks reference controls not selected.

Fourth, the treatment plan has no deadlines or no progress. Open actions with deadlines two years in the past suggest the plan is a wish list rather than a managed schedule. Fifth, evidence is hard to find. The auditor asks for proof that A.8.16 monitoring activities is implemented, and the answer is a chase through five teams. The CIVAC Workspace closes all five gaps by structure: methodology is a single document, register lives next to the SoA, treatment plan tracks deadlines and progress, evidence attaches to the control. The Statement of Applicability is generated, not hand-curated. The auditor calls, the evidence is ready. A simple metric to monitor: percentage of risks reviewed in the last 12 months. Below 90 percent, a finding is likely. Above 98 percent, the ISMS is operationally live, not paper-only. A second metric to track is treatment-plan slippage, calculated as overdue actions divided by total open actions. Below 10 percent indicates a healthy treatment cadence.

A risk assessment template is the easy part. A certifiable ISMS is the workflow that surrounds it. Methodology approved by the board, register linked to assets and controls, treatment plan with deadlines and owners, Statement of Applicability mapped to all 93 Annex A controls, management review on cadence, internal audit independent and documented, certification audit pack exportable on demand. Anything less invites a non-conformity at stage 2.

CIVAC is the Compliance Platform and Officer-as-a-Service that ships this workflow as one Workspace. License the Workspace for your in-house officers, or have our officers appointed. You receive a pre-configured methodology, a register with linked records, the eleven new 2022 controls pre-mapped, a Statement of Applicability that updates as the register changes, a treatment plan with owners and deadlines, audit templates for management review, and a reporting line to top management. EU data residency, 93 controls aligned to ISO/IEC 27001:2022, and revisionssichere Ablage are built in. The CIVAC SLA for an external ISB or DSB appointment is two working days. Aus dem Lesen einen Auftrag machen. Write to info@civac.de or use the contact form on civac.de, you will receive a proposal, a slot, and a draft appointment certificate within the same business day. A standard onboarding workshop runs half a day, after which the Workspace is configured to your scope, your existing register is imported, and the management review cadence is scheduled with calendar invites already in place. From that moment, every change to the methodology, the register, the treatment plan, or the Statement of Applicability is versioned, traceable, and exportable into a certification-audit pack on demand. Bestellurkunde, unterschrieben, abgelegt, belegbar.