Study Document 04

Risk assessment, treatment and SoA.

A lead auditor guide to Clause 6: defining risk criteria, identifying and evaluating information security risks, selecting treatment options, building the Statement of Applicability, and auditing residual risk acceptance.

Why this matters

This is one of the highest-value exam areas.

Many ISO 27001 Lead Auditor questions test whether you can connect context, risk assessment, risk treatment, Annex A, SoA, implementation evidence, and residual risk approval. The strongest answers follow that chain.

6.1Actions to address risks and opportunities.
SoAThe bridge between risk treatment and Annex A controls.
OwnerResidual risk must be accepted by the appropriate risk owner.

Risk assessment flow

Use a repeatable method that produces comparable results.

The auditor should verify that the organization has defined criteria, applied them consistently, and kept enough evidence to support risk decisions.

1

Set criteria

Define likelihood, impact, scoring, acceptance, and reassessment triggers.

2

Identify risks

Use assets, processes, threats, vulnerabilities, events, and business context.

3

Assign owners

Risk owners must have authority to evaluate and accept risk decisions.

4

Analyse risk

Assess realistic likelihood, consequence, existing control effectiveness, and risk level.

5

Evaluate risk

Compare results against risk criteria and determine acceptability.

6

Treat risk

Select treatment options and controls, including Annex A and any additional controls.

7

Accept residual

Approve residual risk, track treatment, and review changes over time.

Core concepts

Know the difference between risk, threat, vulnerability, and issue.

Exam scenarios often hide the answer in terminology. Read carefully before choosing whether the situation is a risk, an issue, a control weakness, or evidence of nonconformity.

Risk

Uncertainty affecting objectives.

For ISMS work, think of the chance that a threat exploits a vulnerability and affects confidentiality, integrity, or availability.

Threat

Source or cause of potential harm.

Examples include malware, malicious insiders, supplier outage, natural events, human error, or unauthorized access attempts.

Vulnerability

Weakness that can be exploited.

Examples include excessive privileges, missing patching, weak monitoring, no tested recovery, or absent review control.

Issue

Something already happening.

An issue may become audit evidence of control failure, process weakness, or a nonconformity depending on criteria and impact.

Risk treatment

Treatment decisions must be traceable to risk results.

The organization can select different treatment options. The auditor checks whether the option is appropriate, approved, implemented, and reviewed.

Option
Meaning
Audit evidence to expect
Avoid
Stop or change the activity that creates the risk.
Business decision, discontinued service, changed architecture, or removed exposure.
Reduce / modify
Apply controls to reduce likelihood or impact.
Selected controls, implementation plan, operating records, testing, monitoring, and ownership.
Share / transfer
Share part of the risk with another party.
Contract clauses, insurance, supplier responsibilities, service levels, and oversight evidence.
Retain / accept
Accept residual risk by informed decision.
Risk owner approval, rationale, acceptance criteria, review date, and monitoring trigger.

Statement of Applicability

The SoA explains control applicability and status.

The SoA should not be a static checklist. It must reflect risk treatment, legal and contractual requirements, business needs, Annex A comparison, control inclusion or exclusion, and implementation status.

SoA element
Purpose
Auditor test
Common weakness
Control reference
Identifies Annex A or additional control.
Does the SoA include the full Annex A comparison and extra controls where needed?
Control list is incomplete or outdated.
Applicability
Shows whether the control applies to the ISMS scope.
Is the applicability decision justified by scope, risk, law, contract, or business need?
Controls excluded without credible rationale.
Justification
Explains inclusion or exclusion.
Can the reason be traced to risk treatment or requirements?
Generic wording that does not match the organization.
Status
States whether control is implemented.
Does operating evidence confirm the stated status?
Marked implemented but no records or weak operation.

Audit evidence

What the auditor should ask for.

Evidence should show both design and operation. A risk register or SoA is not enough unless the risk process is applied, reviewed, approved, and connected to actual control operation.

Methodology

  • Risk criteria and scales.
  • Assessment frequency and triggers.
  • Likelihood and impact method.
  • Consistency and comparability rules.

Risk register

  • Risk owner for each risk.
  • Impact, likelihood, rating, and acceptability.
  • Existing controls and treatment decisions.
  • Status and review history.

Treatment plan

  • Treatment option and controls.
  • Owner, due date, resources, and progress.
  • Residual risk and approval.
  • Evidence of implemented actions.

SoA

  • All Annex A controls considered.
  • Inclusion and exclusion justification.
  • Implementation status.
  • Traceability to risk, law, contract, and business drivers.

Common nonconformities

Typical findings around risk and SoA.

  • Risk methodology is not defined or not applied consistently.
  • Risk owners are missing or residual risks are not approved.
  • Risk treatment plan has no owner, timeline, implementation status, or evidence.
  • SoA excludes controls without justification.
  • SoA says a control is implemented, but operating evidence is not available.
  • Legal, contractual, supplier, or scope changes do not trigger risk and SoA review.

Exam technique

Trace the answer through the risk chain.

  • If the question asks about risk assessment, look for criteria, owner, analysis, and evaluation.
  • If it asks about treatment, look for option, selected controls, plan, owner, and residual risk.
  • If it asks about SoA, look for Annex A comparison, applicability, justification, and status.
  • If it asks about audit evidence, ask for records proving the control operates, not only the document.
  • If it asks who accepts residual risk, choose the risk owner or authorized management role.

Quick memory aid

Risk assessment means identify, analyse, evaluate. Risk treatment means select an option, choose controls, compare with Annex A, plan implementation, and accept residual risk. SoA means include, exclude, justify, and prove implementation status.

Use note

This is a KISCyber learner guide.

This page is an original training summary using user-provided ISO 27001 Lead Auditor risk management and SoA study materials as references. Always use the authorised standard, official course material, and current exam provider guidance when preparing for certification.