ISMS vs Risk Assessment

Being in the business for close to 30 years, we dare to say this: ISMS provides more real security than any risk assessment.

Risk assessment (episodic, compliance, discovery)ISMS (continuous, operational, preventive)
episodic activity (annual/periodic)always running (continuous monitoring & PDCA)
schematic, often guess-based (likelihood x impact)focus on boring but lethal basics (patching, access, monitoring)
produces risk registers (good for auditors)minimizes generic/common risks automatically
main value: regulatory compliance + gap findingevolves as new risks discovered → controls added
often diverges from real incidentssubstance: real risk prevention mechanism

If ISMS is to be based on ISO 27001 we must have requirements for risk assessments.

Relationship between ISO 27000 standards

ISO 27001:2022 mandates selecting appropriate security controls based on the risk assessment outcomes. These controls are generally selected from Annex A of ISO 27001:2022, which lists 93 security controls grouped into organizational, people, physical, and technological categories. The purpose of Annex A controls is to mitigate the risks identified in the risk register, managing confidentiality, integrity, and availability risks of information.

In addition, ISO 27002:2022 complements ISO 27001 by providing detailed guidance on implementing the controls listed in Annex A of ISO 27001. While ISO 27001 specifies the requirement to use controls to treat risks, ISO 27002 gives detailed descriptions and implementation guidance for these controls.

Therefore, the risks documented in the risk register are typically treated by selecting and applying relevant controls from Annex A (ISO 27001) with implementation guidance from ISO 27002:2022.

Risk vs. threat

To start with risk assessment we need to first identify some threats. Interestingly enough while the old version of ISO 27005:2018 contained example threat sources, threat events, and vulnerability categories, the new version from 2022 does not.

This was intentional because:

  • threat landscapes change too fast — static lists become outdated,
  • ISO 27005 is meant to be methodology‑neutral, not a threat catalog,
  • and Annex A of ISO 27001:2022 no longer maps to threats.

The 2022 edition expects organizations to use their own threat sources, or external catalogs (ENISA, NIST, MITRE ATT&CK, etc.). Of course, if you've been doing security for a long time, you probably already have your own list, exactly as we do in this course.

 The threat will become a risk as soon as we are able to assess the probability and impact of the threat. Only then we can equal a threat with a risk.