A magnifying glass on a red background.
BlogISO 27001

Risk assessment 101: Working backwards from the controls

Written by
No items found.
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

Performing an information security risk assessment in order to meet the requirements of ISO 27001, SOC 2, PCI DSS, or HIPAA can feel a bit daunting at first. The truth is there are a number of different approaches and methodologies that can work. In this article, I’m going to provide you with a simple and practical example of how you can start with a controls framework, like the ISO 27001 Annex A, and work backwards.

Start with any control. In this example let’s use the first control from the ISO 27001 Annex A:

Section A.5 Information Security Policies includes an information security objective, which is: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

The first control is A.5.1.1 Policies for Information Security: A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.

In summary, this control activity indicates that companies should communicate approved policies to personnel so that those personnel know how to perform their job roles in accordance with the direction and rules set by management.


Facing vulnerabilities in the org

The first step after we read and understand the control is to assess how well our organization has implemented it. To the extent that we haven’t implemented the control, those gaps will be listed on our Risk Assessment document as Vulnerabilities.

Policy vulnerabilities could include things like the following:

  • We don’t have any security policies
  • Policies are old and out of date
  • Policies are inaccurate and/or contradictory
  • Policies have not been reviewed and approved by management
  • Policies haven’t been published or communicated to personnel
  • Policies haven’t been acknowledged or accepted by personnel
  • Personnel can’t find or access policies when needed
  • Policies are too long, too technical, or generally not understandable by the user

What’s the risk then? The risks of not effectively implementing policies could include:

  • Personnel don’t understand the rules or management’s direction
  • Personnel take actions that are not consistent with the will of management
  • Personnel perform actions based on incorrect or out-of-date procedures
  • Management lacks a mechanism to direct the organization’s behavior

The next question to ask is: If we have issues or weaknesses with policies, do we have any other controls that could mitigate those potential risks? We can list those as Existing Controls. For example:

  • All employees perform security awareness training
  • Employees receive targeted training relevant to their role
  • Managers meet with direct reports weekly to review their work
  • Managers are responsible to mentor and provide ad hoc guidance
  • Logging and alerting systems detect and alert on technical misconfigurations or vulnerabilities

After considering the potential risks along with the vulnerabilities and existing controls, we will document a Risk Scenario which could be the most important potential risk or a combination of possible risks. An example risk scenario could be as follows:

  • Users perform insecure actions because they are not aware of company security policies

{{cta_withimage4="/cta-modules"}}

Identifying risk scenarios

Having identified the Risk Scenario we now need to assess the likelihood and impact of the risk materializing which will be combined to give the overall Risk Score. Typically, the likelihood, impact, and overall risk are ranked on a scale of 1-3 or 1-5, which represents something like low, medium, and high.

For this example, we’ll say the likelihood of the risk materializing is a medium likelihood with a score of two (2). The rationale is that while we do lack clear policy direction, a mitigating factor is that employees can solicit management for direction and they do receive basic security training.

Let’s say the impact is also medium or two (2). The rationale is that we expect employees to have enough security awareness and competence to ask for help before taking an insecure action, but the possibility exists that that won’t always happen. An employee could make a serious mistake, like misconfiguring a publicly accessible datastore to allow unauthorized access to sensitive data.

Using a simple multiplication methodology, the overall risk score in this case would be four (4), which would represent a medium risk overall according to our method.

Now a common mistake is to get hung up on the scoring for likelihood, impact, and overall risk. Don’t worry about that too much. It’s a subjective determination, just do your best. The most important thing is to identify and document the risk scenario. You can always adjust the scoring later based on a reconsideration or new inputs.

The next step is to determine the Risk Treatment. The typical options are: Accept, Remediate, Transfer, or Avoid. In our case we’ll mitigate the risk through some planned actions which we’ll call our Risk Treatment Plan.

The last major step now is to document our Risk Treatment Plan, in ISO terms, or simply, the tasks that we will take to mitigate the risk. Our risk treatment plan will be as follows:

  • Create, review, and/or update all relevant information security policies
  • Obtain management approval for all final policies
  • Publish and communicate policies to relevant users
  • Obtain user acknowledgement or acceptance of all relevant policies
  • Implement a process for new hires to acknowledge and accept policies at time of hire
  • Implement a policy to review, update, approve, and communicate policies at least annually

In order for this risk assessment to meet ISO 27001 requirements we need to assign a Risk Owner to each risk and obtain their approval of the risk treatment plan.

That’s basically it. You can get a lot more fancy with information like threats, mappings to specific assets or control frameworks, but we’ve covered the essential elements.

Working backwards from control sets such as the ISO 27001 Annex A is a great approach for organizations that are relatively new to formal risk assessment. I recently worked through the Department of Health and Human Services’ HIPAA Risk Security Risk Assessment (SRA) Tool, and it took a very similar approach, based on the HIPAA Security Rule control requirements.

There are various methods for assessing risk, this is a simple and straightforward approach to help you get started.

{{cta_simple1="/cta-modules"}}


                                                                                                                     

Matt Cooper is Principal, Cybersecurity & Data Privacy

About the author: Matt Cooper is Principal, Cybersecurity & Data Privacy on Vanta’s sales team. Matt has been with Vanta since February of 2021.

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE
GRC
AI and Trust: Navigating Maturity, Influence, and Risk
Compliance
Secure from the Start: How Founders Build Compliance Into Early-Stage Growth
Compliance
Building Trust in the AI Boom: Security, Capital, and Credibility from Day One
Compliance
Live Demo: Accelerate security and compliance workflows with AI
GRC
AI and Trust: Navigating Maturity, Influence, and Risk
Compliance
Secure from the Start: How Founders Build Compliance Into Early-Stage Growth
Compliance
Building Trust in the AI Boom: Security, Capital, and Credibility from Day One
Compliance
Live Demo: Accelerate security and compliance workflows with AI

Table of contents

No titles!

Share this article

Share this article

Related Resources

The logo for okta on a yellow background.
Security
Blog

How Vanta uses Okta for identity and access management

Learn how Vanta uses Okta for internal identity and access management (IAM) to help provide a seamless access experience for our employees.

A magnifying glass on a purple background.
Compliance
Blog

The complete guide to compliance risk management

Understand what compliance risk management is and how to create an effective system for your organization. Click here for key tips on managing compliance risk.

Security
Events

From Insights to Action: Measuring and Advancing Security Maturity

Discover how Vanta’s customizable reporting and dashboarding can help you assess and improve security maturity with real-time insights, better risk visibility, and data-driven decision-making.

Compliance
Events

Live Demo: Automating Compliance with Vanta

See how Vanta helps build trust, speed up security questionnaires, and manage vendor risk with ease.

Related Resources

ISO 27001
Blog
ISO 27001 for healthcare companies: Benefits and implementation steps

Discover the specifics of ISO 27001 for healthcare organizations. See why you should adopt it and how to do it without wasting time and resources.

ISO 27001
Events
Live Demo: Automating Compliance for ISO 27001, CPS234, and More

Discover how automation can transform your compliance efforts into a streamlined, efficient process. Join the live demo on May 14th to see it in action and get your compliance questions answered.

ISO 27001
Events
Live Demo: Simplify ISO 27001 and SOC 2 compliance with Vanta

See how Vanta automates up to 90% of your ISO 27001 and SOC 2 compliance work, saving you time and reducing manual effort.

ISO 27001
Events
Live Demo: Automate ISO 27001 and SOC 2 compliance with Vanta

See how Vanta simplifies compliance, accelerates workflows, and helps you prove your commitment to security—no matter where you are in your GRC journey.

What are the ISO 27001:2022 controls?
ISO 27001
Blog
What are the ISO 27001:2022 controls?

Explore the requirements of the ISO 27001:2022 controls and understand how they differ from the 2013 version.

ISO 27001
Blog
The 4 categories of ISO 27001 controls

Explore the four categories of ISO 27001 controls—organizational, people, physical, and technological.

ISO 27001
Blog
6 key steps to ISO 42001 certification explained

Discover how to meet the standard’s requirements efficiently.

ISO 27001
Events
Live Demo: How to streamline ISO 27001 and SOC 2 compliance with automation

Watch Vanta’s 45-minute demo to see how our platform automates up to 90% of the work for achieving ISO 27001 and SOC 2 compliance, helping you streamline security and move towards continuous compliance.

ISO 27001
Events
ISO 27001 vs SOC 2: Which standard is right for my startup?

Attaining security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.

ISO 27001
Events
ISO 27001 vs. SOC 2: Which standard is right for my business?

Complying with security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.

ISO 27001
Events
ISO 27001 Compliance for SaaS

On 10 October at 2 PM BST, join the Ask Me (Almost) Anything with Herman Errico and Kim Elias, compliance experts at Vanta. They’ll answer (almost) all your questions about ISO 27001 compliance.

Iso 27001 compliance checklist.
ISO 27001
Blog
The ISO 27001 Compliance Checklist

ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products