Risk Assessment Template
Operational template + real example to produce an ISO 27001 audit-ready risk assessment (assets, threats, vulnerabilities, scoring, treatment, evidence).
In 30 seconds
- Purpose: prioritize risks and decide the appropriate treatment.
- Inputs: scope, assets, threats, vulnerabilities, existing controls.
- Outputs: risk register, treatment plan, SoA/justifications, evidence package.
- When to use it: ISMS creation or review, before an audit, major change, new environment.
ISO 27001 Risk Audit-ready
Risk assessment is at the core of an ISO 27001 compliant ISMS. Without a structured assessment, there is no coherent treatment plan. Without a coherent treatment plan, there is no solid SoA. And without a solid SoA… audits become challenging.
NetQualIT position
A simple, operational and documented approach: practical for day-to-day governance, and structured enough to remain audit-ready.
Objective of an ISO 27001 risk assessment
The objective is not to produce an unreadable 200-line spreadsheet. The objective is to enable effective governance.
- Identify critical assets
- Qualify threats and vulnerabilities
- Assess business impacts (including regulatory impact)
- Determine a consistent risk level
- Define a treatment strategy (actions + evidence)
Simple and effective methodology
Step 1 — Identify assets
- Microsoft 365 tenant
- Critical server / application
- Document management system / regulated documentation
- Key workstations (production, QA, admin…)
- Sensitive data (patients, R&D, HR…)
Step 2 — Threats & vulnerabilities
Threat: identity compromise
Vulnerability: MFA partially deployed
Vulnerability: MFA partially deployed
Threat: loss of document integrity
Vulnerability: lack of version control / traceability
Vulnerability: lack of version control / traceability
Step 3 — Assess impact
- Financial
- Regulatory
- Reputational
- Operational
In Life Sciences environments, regulatory impact is rarely negligible.
Step 4 — Calculate the risk level
NetQualIT recommends a clear and stable scoring model (e.g. Impact × Likelihood), rather than a “scientific” model that becomes impossible to maintain.
Simplified example
| Asset | Threat | Impact | Likelihood | Level |
|---|---|---|---|---|
| M365 | Admin account compromise | High | Medium | Critical |
Concrete simplified example
Context
- Asset: Microsoft 365 tenant
- Threat: credential theft
- Vulnerability: MFA enabled on only 30% of accounts
- Impact: High
- Likelihood: Medium
- Risk: Critical
Recommended treatment
- Organization-wide MFA deployment
- Advanced logging and alerting
- Targeted phishing awareness
- Quarterly review of privileged accounts
Expected evidence & deliverables
- Risk register
- Treatment plan
- Updated SoA
- Configuration exports / screenshots
- Review procedure
Audit-ready, without unnecessary complexity.
Common mistakes
To avoid
- Copy-pasting an “internet template” without context
- Listing theoretical risks disconnected from business reality
- Forgetting decision traceability
- Never updating the assessment (a classic)
NetQualIT position
An ISMS is not a documentation museum. It must evolve, be measured, and improve. A useful risk assessment is a risk assessment that is actually used.
What an auditor expects
- Consistency between risks, treatment plan, and SoA
- Justification of exclusions
- Evidence of implementation
- Regular updates
Deliverables
- Risk assessment matrix template
- Example risk register
- Example treatment plan
- Simplified Statement of Applicability (SoA) template
Operational summary
An effective ISO 27001 risk assessment is not meant to impress. It must enable teams to decide, govern, and demonstrate compliance.
Structure. Traceability. Consistency. That’s enough.
Structure. Traceability. Consistency. That’s enough.
Download
Need a clear and efficient framework?
NetQualIT supports the structuring, security, and documentation of your systems with truly audit-ready deliverables.