ISO 27001: a risk register audit-ready
ISO 27001:2022 requires a documented, recurring information-security risk assessment. RiskNote gives you the register, the 5x5 matrix, and the traceability, so the auditor doesn't have to hunt for the answer to “how did you arrive at this risk?”.
What is ISO 27001?
ISO 27001 is the international standard for information-security management systems (ISMS). It's the most widely used certification for information security.
The current version is ISO 27001:2022, which replaced ISO 27001:2013. Key changes: Annex A restructured from 14 categories to 4 (organisational, people, physical, technical), and controls reduced from 114 to 93.
Risk management is central to the ISMS (clause 6.1) and follows ISO 27005, an application of ISO 31000 to information-security risks.
ISO 27001 risk management (clause 6.1)
1. Define risk criteria
Risk tolerance, scales for likelihood and consequence, acceptance criteria.
2. Identify information-security risks
Systematic review of assets (information, systems, people, processes) and threats.
3. Analyse and evaluate
Assess likelihood × consequence. Prioritise against the criteria from step 1.
4. Select risk treatment
Accept, reduce, transfer, avoid. Pick controls from ISO 27001 Annex A (or custom).
5. Produce the Statement of Applicability (SoA)
Document listing all 93 Annex A controls with status (applicable/not applicable) and justification. Audit evidence.
6. Recurring review
Risk register updated at least annually and on major change. Management review.
ISO 27001 risk register checklist
Identified assets
Information-security risks start from assets: data, systems, networks, people, premises.
Identified threats and vulnerabilities
What can go wrong? Threat × vulnerability = risk.
Assessed likelihood
Scale 1–5 (or equivalent). Consistent application.
Assessed consequence (CIA)
Confidentiality, integrity, availability. Each objective assessed separately or aggregated.
Risk owner per risk
A named person accountable for each risk. RiskNote delegation (V1.1) supports this.
Control selection and mapping
Each risk maps to Annex A control(s) or a custom control. Documented in the SoA.
Residual risk after treatment
Assessment of residual risk after controls are implemented. Must be accepted by the risk owner.
Version history
Audit evidence requires traceability, who changed what, when, and why.
How RiskNote supports ISO 27001
RiskNote implements the ISO 31000 process that ISO 27005 is built on. The AI suggests information-security risks. The 5x5 matrix visualises prioritisation. Status and version history give the auditor traceability.
ISO 27001-specific features: mapping to Annex A controls per risk, auto-generated SoA report, and a “risk owner” role are planned for V1.2 (Q3 2026). Today you use free text for the mapping, works well for most organisations.
Frequently asked questions about ISO 27001
Is RiskNote enough for ISO 27001 certification?
RiskNote covers the risk management part (clauses 6.1 and 8.2-8.3) very well. But ISO 27001 certification also requires a full ISMS: policies, incident handling, asset management, vendor review, continuity planning. RiskNote is a strong tool but not the full ISMS solution for larger organisations.
How do we link risks to Annex A controls?
Today you use the free-text field on the risk to reference controls (e.g. “A.5.1, A.8.12”). Explicit Annex A mapping ships in V1.2 (Q3 2026).
Does RiskNote support both ISO 27001:2013 and :2022?
Yes, the principle is the same, only the number of controls differs. If you still certify against :2013, RiskNote works equally well. We recommend planning migration to :2022 before 2025.
Can we produce a Statement of Applicability from RiskNote?
SoA generation is planned for V1.2. Today you can export risks and controls to PDF/CSV and assemble the SoA in Excel or Word.
What's the difference between ISO 27001 and SOC 2?
ISO 27001 is European/international and systems-like (ISMS certification). SOC 2 is US and auditor-based (Type 1 or Type 2). They overlap at control level but the process differs. Many companies do both.
Start building your ISO 27001 risk register
RiskNote gives you structure, AI suggestions, and traceability from day one. Start a free trial.