Training Module
Information Security Risk Management
Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions
Training Module
Information Security Risk Management
Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions
Training Module
Information Security Risk Management
Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions
Does your risk management practice produce artefacts that fail to influence control decisions?
This training module guides you through disciplined risk assessment and treatment aligned with ISO/IEC 27001, producing a clear decision trail.
Does your risk management practice produce artefacts that fail to influence control decisions?
This training module guides you through disciplined risk assessment and treatment aligned with ISO/IEC 27001, producing a clear decision trail.
Does your risk management practice produce artefacts that fail to influence control decisions?
This training module guides you through disciplined risk assessment and treatment aligned with ISO/IEC 27001, producing a clear decision trail.
Training module overview
Training module overview
Training module overview
Risk registers and scoring exercises often sit in isolation, disconnected from control selection and acceptance decisions.
This training module explains how ISO/IEC 27001 frames risk assessment and treatment, how to define risk criteria and statements, and how to document assessment results in a way that supports treatment planning and residual risk acceptance. Participants learn to produce coherent risk treatment artefacts that link risks, treatment options, selected controls and the Statement of Applicability. The module emphasises traceability and maintenance rather than the mechanics of scoring models.
Risk registers and scoring exercises often sit in isolation, disconnected from control selection and acceptance decisions.
This training module explains how ISO/IEC 27001 frames risk assessment and treatment, how to define risk criteria and statements, and how to document assessment results in a way that supports treatment planning and residual risk acceptance. Participants learn to produce coherent risk treatment artefacts that link risks, treatment options, selected controls and the Statement of Applicability. The module emphasises traceability and maintenance rather than the mechanics of scoring models.
Applicable environments
This module applies to organisations implementing or operating an information security management system (ISMS) in line with ISO/IEC 27001. It focuses on how the standard’s requirements are interpreted and applied in practice within real organisational contexts.
The content is relevant for organisations seeking certification as well as for those using ISO/IEC 27001 as a reference framework to structure responsibilities, processes, and controls in the information security domain.
Target audience
Target audience
Target audience
People involved in designing, building, operating, or improving an ISMS aligned with ISO/IEC 27001
Executives and department heads accountable for the effectiveness and performance of an ISMS
Those responsible for processes, policies, assets, risks, and controls related to information security
Auditors of ISO/IEC 27001 who want to deepen their understanding of management-side best practices (not audit technique)
People involved in designing, building, operating, or improving an ISMS aligned with ISO/IEC 27001
Executives and department heads accountable for the effectiveness and performance of an ISMS
Those responsible for processes, policies, assets, risks, and controls related to information security
Auditors of ISO/IEC 27001 who want to deepen their understanding of management-side best practices (not audit technique)
Decision support
Is this module for you?
It is a good fit if you…
are responsible for ISMS risk assessment, treatment, or acceptance decisions.
struggle with inconsistent risk criteria, weak risk statements, or unclear ownership.
need risk outputs that clearly justify control selection and SoA decisions.
must produce risk artefacts that hold up in audits and management review.
want risk management to function as a repeatable decision process, not a one-off exercise.
are responsible for ISMS risk assessment, treatment, or acceptance decisions.
struggle with inconsistent risk criteria, weak risk statements, or unclear ownership.
need risk outputs that clearly justify control selection and SoA decisions.
must produce risk artefacts that hold up in audits and management review.
want risk management to function as a repeatable decision process, not a one-off exercise.
If most of the points above apply, this module is likely a good fit.
It may not be the best fit if you…
are looking for a general introduction to information security risk concepts.
expect quantitative risk modelling or advanced risk analytics.
want a tool-specific or template-driven risk assessment walkthrough.
already operate a consistent, well-understood, and reviewable ISMS risk process.
are looking for a general introduction to information security risk concepts.
expect quantitative risk modelling or advanced risk analytics.
want a tool-specific or template-driven risk assessment walkthrough.
already operate a consistent, well-understood, and reviewable ISMS risk process.
Agenda
Agenda
Agenda
Role of risk management inside an ISMS
ISO/IEC 27001 risk terminology and required definitions
Risk criteria and consistency requirements
Risk assessment outputs that support treatment decisions
Risk treatment expectations and artefacts
Traceability to controls and the SoA interface
Maintaining risk information over time
Case-based workshop
Show detailed agenda...
Role of risk management inside an ISMS
ISO/IEC 27001 risk terminology and required definitions
Risk criteria and consistency requirements
Risk assessment outputs that support treatment decisions
Risk treatment expectations and artefacts
Traceability to controls and the SoA interface
Maintaining risk information over time
Case-based workshop
Show detailed agenda...
Role of risk management inside an ISMS
ISO/IEC 27001 risk terminology and required definitions
Risk criteria and consistency requirements
Risk assessment outputs that support treatment decisions
Risk treatment expectations and artefacts
Traceability to controls and the SoA interface
Maintaining risk information over time
Case-based workshop
Show detailed agenda...
Learning outcomes
Learning outcomes
Learning outcomes
Key outcomes
Interpret ISO/IEC 27001 risk assessment and treatment requirements in practical terms
Define documented elements (criteria, statements, decision records) needed for consistent risk methods
Produce risk treatment artefacts that evidence decisions and residual risk acceptance
Interpret ISO/IEC 27001 risk assessment and treatment requirements in practical terms
Define documented elements (criteria, statements, decision records) needed for consistent risk methods
Produce risk treatment artefacts that evidence decisions and residual risk acceptance
Additional capabilities
Maintain traceability from risks through treatment decisions to controls and the Statement of Applicability
Identify common pitfalls in risk assessment and treatment that lead to paper exercises
Set maintenance routines and review triggers to keep risk records current and useful
Maintain traceability from risks through treatment decisions to controls and the Statement of Applicability
Identify common pitfalls in risk assessment and treatment that lead to paper exercises
Set maintenance routines and review triggers to keep risk records current and useful
Additional benefits
Additional benefits
Additional benefits
Learning materials
Slide deck
Participant workbook
Templates & tools
Practical, reusable artefacts to apply the module directly to your organisation.
ISO/IEC 27001 risk method definition checklist (documented elements and decision points)
Risk statement quality guide (structure and minimum fields)
Risk criteria sanity-check worksheet (consistency and usability checks)
Risk treatment decision log (options, rationale, ownership, residual risk)
Risk-to-control traceability matrix (risk → treatment → control selection)
SoA linkage worksheet (treatment rationale → inclusion/exclusion justification)
Optional AI prompt set for summarising change signals and drafting consistent risk statements (supporting, not replacing judgement)
ISO/IEC 27001 risk method definition checklist (documented elements and decision points)
Risk statement quality guide (structure and minimum fields)
Risk criteria sanity-check worksheet (consistency and usability checks)
Risk treatment decision log (options, rationale, ownership, residual risk)
Risk-to-control traceability matrix (risk → treatment → control selection)
SoA linkage worksheet (treatment rationale → inclusion/exclusion justification)
Optional AI prompt set for summarising change signals and drafting consistent risk statements (supporting, not replacing judgement)
Confirmation
Certificate of completion
Module ID
HAM-IS-S-02
Domain
Audience
Manager
Auditor
Language
English
Delivery
Live virtual
Duration
7 h
List price
CHF 550
Excl. VAT. VAT may apply depending on customer location and status.
Delivery & learning format
Delivery & learning format
Delivery & learning format
Virtual live teaching
This module is delivered live, with a strong focus on discussion, practical application, and direct interaction with the instructor.
Sessions work through realistic examples, clarify concepts in context, and apply methods directly to participants’ organisational realities.
Custom delivery options
For organisations with specific constraints or learning objectives, the module can be adapted in format or scope, including in-house delivery and contextualised case material.
Not sure if this module is right for you?
Not sure if this module is right for you?
Not sure if this module is right for you?
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
Assumed background
This module assumes participants can already work with general risk concepts and basic management system logic.
Helpful background includes:
Understanding of risk terminology, evaluation, and treatment concepts
Familiarity with management system roles, documented information, and governance routines
Basic information security literacy
This module assumes participants can already work with general risk concepts and basic management system logic.
Helpful background includes:
Understanding of risk terminology, evaluation, and treatment concepts
Familiarity with management system roles, documented information, and governance routines
Basic information security literacy
Preparatory modules
Foundational modules (depending on background)
Useful if you are new to the underlying concepts or want a shared baseline before attending this module.
Risk Management Foundations
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems
7 h
Risk Management Foundations
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems
7 h
Risk Management Foundations
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems
7 h
Supporting modules (optional)
Helpful if you want to deepen related skills, but not required to participate effectively.
System Foundations
Understand organisational context, stakeholders, and system boundaries to build and operate effective management systems
7 h
System Foundations
Understand organisational context, stakeholders, and system boundaries to build and operate effective management systems
7 h
System Foundations
Understand organisational context, stakeholders, and system boundaries to build and operate effective management systems
7 h
Continuous learning
Follow-up modules
Continuous learning
Follow-up modules
Continuous learning
Follow-up modules
After completion of this module, the following modules are ideal to further deepen your competence. If you are looking for a structured learning path, modules can also be taken as part of a professional track.
Operational Control in Information Security
Understand operational planning, controlled change, and day-to-day control operation in an ISO/IEC 27001 ISMS
Duration
7 h
List price
CHF 550
View module
Operational Control in Information Security
Understand operational planning, controlled change, and day-to-day control operation in an ISO/IEC 27001 ISMS
Duration
7 h
List price
CHF 550
View module
Operational Control in Information Security
Understand operational planning, controlled change, and day-to-day control operation in an ISO/IEC 27001 ISMS
Duration
7 h
List price
CHF 550
View module
ISMS Scope, Boundaries & Statement of Applicability
Understand how to define an ISO/IEC 27001 ISMS scope and boundaries and document a Statement of Applicability (SoA)
Duration
7 h
List price
CHF 550
View module
ISMS Scope, Boundaries & Statement of Applicability
Understand how to define an ISO/IEC 27001 ISMS scope and boundaries and document a Statement of Applicability (SoA)
Duration
7 h
List price
CHF 550
View module
ISMS Scope, Boundaries & Statement of Applicability
Understand how to define an ISO/IEC 27001 ISMS scope and boundaries and document a Statement of Applicability (SoA)
Duration
7 h
List price
CHF 550
View module
Objectives & Performance Foundations
Learn the fundamentals of objective setting, KPI definition, and KPI governance for management systems
Duration
7 h
List price
CHF 550
View module
Objectives & Performance Foundations
Learn the fundamentals of objective setting, KPI definition, and KPI governance for management systems
Duration
7 h
List price
CHF 550
View module
Objectives & Performance Foundations
Learn the fundamentals of objective setting, KPI definition, and KPI governance for management systems
Duration
7 h
List price
CHF 550
View module
Policy Management
Build a coherent, auditable policy framework that aligns with strategy, scales across entities, and stays current without bureaucracy
Duration
7 h
List price
CHF 550
View module
Policy Management
Build a coherent, auditable policy framework that aligns with strategy, scales across entities, and stays current without bureaucracy
Duration
7 h
List price
CHF 550
View module
Policy Management
Build a coherent, auditable policy framework that aligns with strategy, scales across entities, and stays current without bureaucracy
Duration
7 h
List price
CHF 550
View module
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.