ISO 27001 Risk Assessment: A Practical Guide for Australian Organisations
The ISO 27001 risk assessment is not a formality you tick off on the way to certification. It is the engine that drives the entire framework. If you are pursuing ISO 27001 certification in Australia and you do not have a solid risk assessment process in place, the rest of your programme will not hold up under audit.
This guide explains what the standard actually requires, how to approach the process practically, and where most organisations come unstuck.
What ISO 27001 Actually Requires
ISO 27001:2022 (the current version of the standard) dedicates a significant portion of its requirements to risk management. Clause 6.1 requires organisations to establish and maintain a documented information security risk assessment process. That means defining how you identify risks, how you evaluate them, and how you decide what to do about them.
The standard does not tell you which methodology to use or which tool to use to document it. That flexibility sounds helpful, but it is actually where a lot of organisations get into trouble. Without guidance, teams either overcomplicate the process or produce something so lightweight it would not survive scrutiny from a certification auditor.
Risk Assessment vs Risk Treatment
These two things are related but distinct, and it is worth being clear on the difference from the outset.
The risk assessment is the process of identifying what could go wrong, how likely it is, and what the impact would be. The risk treatment plan is what you decide to do about those risks – whether you accept them, mitigate them, transfer them, or avoid them entirely. Both are required under the standard, and both need to be documented.
How to Structure Your ISO 27001 Risk Assessment
There is no single correct way to run a risk assessment under ISO 27001, but the following approach is what we see working well in practice.
Step 1: Define Your Scope and Context
Before you can assess risk, you need to know what you are protecting. Clause 4 of the standard requires organisations to define the scope of their Information Security Management System (ISMS). This means identifying which systems, processes, locations, and information assets fall within the boundary of your ISMS.
Getting scope right at the start saves significant pain later. A scope that is too broad creates an unmanageable workload. A scope that is too narrow may not satisfy the requirements of your customers or auditors.
Step 2: Build Your Asset Inventory
You cannot assess risk against assets you have not identified. Your asset inventory should cover information assets (databases, intellectual property, customer data), physical assets (servers, devices, office infrastructure), and software assets (applications, cloud services, development environments).
For Australian organisations handling personal information, your Privacy Act obligations are directly relevant here. Any asset that stores or processes personal data deserves particular attention in your risk assessment.
Step 3: Identify Threats and Vulnerabilities
For each asset, consider what threats could affect it and what vulnerabilities might make those threats more likely to materialise. Threats might include ransomware, insider access abuse, third-party supply chain compromise, or physical theft. Vulnerabilities might include unpatched systems, weak access controls, or inadequate staff awareness training.
This step is where organisations with limited security experience often need support. Identifying threats requires an understanding of the current threat environment, not just a generic list copied from a template.
Step 4: Assess Likelihood and Impact
This is where you assign a risk rating to each identified risk. Most organisations use a simple matrix scoring likelihood and impact on a scale (for example, 1 to 5), producing a risk score that allows you to prioritise your treatment efforts.
The scale and scoring method you use is less important than consistency. Use the same criteria across all assessments, document your rationale, and make sure your ratings are defensible if an auditor asks why a particular risk was rated low.
Step 5: Decide on Treatment Options
Once you have a prioritised risk register, you need a treatment plan. For each risk above your accepted threshold, document what control you are applying or implementing, who is responsible, and the target date for completion. Annex A of ISO 27001:2022 contains 93 controls across four categories (organisational, people, physical, and technological) that you can reference when selecting appropriate treatments.
If you are working through your risk assessment for the first time and not sure whether your approach will satisfy an auditor, a gap analysis is a practical place to start. Siege Cyber works with Australian organisations at every stage of the ISO 27001 journey, from initial scoping through to certification. View our ISO 27001 services or explore our compliance pricing.
Common Mistakes That Derail ISO 27001 Risk Assessments
The most common problem we see is organisations treating the risk assessment as a one-time exercise. ISO 27001 requires you to review and update your risk assessment at planned intervals and whenever significant changes occur. A risk register that was accurate eighteen months ago and has not been touched since is a liability, not an asset.
The second issue is producing a risk assessment that reads like a generic template. Auditors see a lot of these. If your risk register does not reflect the specific systems, business processes, and threat environment of your organisation, it will not hold up. The document needs to reflect genuine analysis, not a checkbox exercise.
Third, organisations often underestimate the Statement of Applicability (SoA). The SoA documents which of the 93 Annex A controls are applicable to your organisation, which have been implemented, and justification for any that have been excluded. It is one of the most scrutinised documents in the entire audit and it is directly linked to your risk assessment outputs. Getting the SoA right requires time, expertise, and a clear line of sight between your risks and your controls.
Where Compliance Automation Fits In
Platforms like Vanta and Drata have made the operational side of ISO 27001 compliance significantly more manageable. They can automate evidence collection, track control implementation, and surface gaps in your control environment in real time.
Siege Cyber is an official partner of both Vanta and Drata, which means we regularly work with organisations that have purchased one of these platforms and want expert guidance to use it effectively. The platforms are genuinely useful, but they do not replace the judgement required to scope your ISMS appropriately, write a risk assessment that reflects your actual environment, or prepare for the conversations an auditor will have with your leadership team.
ISO 27001 and Australian Regulatory Obligations
ISO 27001 certification does not automatically satisfy all of your legal obligations under Australian law, but it provides a strong foundation. Organisations in the financial services sector subject to APRA CPS 234 will find significant overlap between the standard’s requirements and APRA’s expectations around information security capability, incident response, and third-party risk management.
Similarly, ISO 27001’s controls around personal data handling complement your obligations under the Privacy Act 1988. If your organisation is working toward ISO 27001 certification and also dealing with Privacy Act compliance, your risk assessment is a good place to document and address both sets of requirements in a coordinated way.
For organisations already working within the ASD Essential Eight framework, ISO 27001 certification provides broader coverage and international recognition, while the Essential Eight remains a more prescriptive, technically focused model. They are complementary rather than competing.
If you are ready to start your ISO 27001 risk assessment or you want to understand what certification will take for your organisation, talk to Siege Cyber. We work with Australian businesses from the first gap analysis through to successful certification, and we can work alongside your Vanta or Drata implementation if you have already invested in a compliance platform. Visit siegecyber.com.au/services/iso-27001 to learn more, view our pricing, or get in touch at [email protected].