Training Module
Information Security Risk Management
Systematically assess, treat and document information security risks with traceable decisions in line with ISO/IEC 27001
Overview
Risk registers and scoring exercises often sit in isolation, disconnected from control selection and acceptance decisions.
This training module explains how ISO/IEC 27001 frames risk assessment and treatment, how to define risk criteria and statements, and how to document assessment results in a way that supports treatment planning and residual risk acceptance. Participants learn to produce coherent risk treatment artefacts that link risks, treatment options, selected controls and the Statement of Applicability. The module emphasises traceability and maintenance rather than the mechanics of scoring models.
Applicable environments
This module applies to organisations implementing or operating an information security management system (ISMS) in line with ISO/IEC 27001. It focuses on how the standard’s requirements are interpreted and applied in practice within real organisational contexts.
The content is relevant for organisations seeking certification as well as for those using ISO/IEC 27001 as a reference framework to structure responsibilities, processes, and controls in the information security domain.
Target audience
People involved in designing, building, operating, or improving an ISMS aligned with ISO/IEC 27001
Executives and department heads accountable for the effectiveness and performance of an ISMS
Those responsible for processes, policies, assets, risks, and controls related to information security
Auditors of ISO/IEC 27001 who want to deepen their understanding of management-side best practices (not audit technique)
Decision support
Is this module for you?
Agenda
Role of risk management inside an ISMS
ISO/IEC 27001 risk terminology and required definitions
Risk criteria and consistency requirements
Risk assessment outputs that support treatment decisions
Risk treatment expectations and artefacts
Traceability to controls and the SoA interface
Maintaining risk information over time
Case-based workshop
Show detailed agenda...
Learning outcomes
Key outcomes
Interpret ISO/IEC 27001 risk assessment and treatment requirements in practical terms
Define documented elements (criteria, statements, decision records) needed for consistent risk methods
Produce risk treatment artefacts that evidence decisions and residual risk acceptance
Additional capabilities
Maintain traceability from risks through treatment decisions to controls and the Statement of Applicability
Identify common pitfalls in risk assessment and treatment that lead to paper exercises
Set maintenance routines and review triggers to keep risk records current and useful
Materials
Learning materials
Slide deck
Participant workbook
Templates & tools
Practical, reusable artefacts to apply the module directly to your organisation.
Information security risk management process
Example information security risk register
Risk criteria quality check list
Risk treatment decision log
Risk treatment plan template
Supporting AI prompt set for typical use cases
Confirmation
Certificate of completion
Module ID
HAM-IS-S-02
Discipline
ISO standard
Standard clause
6: Planning
8: Operation
Target audience
Public delivery
Live virtual
Duration
7 h
List price
CHF 550
Excl. VAT. VAT may apply depending on customer location and status.
Delivery
Live virtual delivery
This module is delivered live online and combines conceptual framing, discussion, case work and direct interaction with the instructor.
A public cohort is currently not scheduled. If you register your interest, we will notify you when a new public cohort is scheduled or suitable delivery options become available.
Custom delivery options
For organisations with specific constraints or learning objectives, the module can be adapted in format or scope, including in-house delivery and contextualised case material.
For an optimal learning experience
Prerequisites & preparation
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
Assumed background
This module assumes participants can already work with general risk concepts and basic management system logic.
Helpful background includes:
Understanding of risk terminology, evaluation, and treatment concepts
Familiarity with management system roles, documented information, and governance routines
Basic information security literacy
Preparatory modules
Foundational modules (depending on background)
Useful if you are new to the underlying concepts or want a shared baseline before attending this module.
Supporting modules (optional)
Helpful if you want to deepen related skills, but not required to participate effectively.
