Training Module
Training Module

Information Security Risk Management

Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions

Understand

Implement

Manage

Audit

Training module overview

ISO/IEC 27001 expects information security risk assessment and treatment to function as a disciplined decision process, not as a one-off compliance exercise. Risk work must produce outcomes that are consistent, documented, and traceable to what the organisation implements, accepts, and reviews. In practice, many ISMS struggle with unclear risk criteria, weakly formulated risk statements, fragmented ownership, and treatment plans that do not clearly justify control choices or acceptance decisions.

This module focuses on how ISO/IEC 27001 expects information security risks to be defined, assessed, treated, and evidenced within an ISMS. It concentrates on the required interpretations, documented elements, and traceability relationships between risks, treatment decisions, controls, and acceptance. Emphasis is placed on producing risk artefacts that support governance, management review, and assurance, and that remain usable as the ISMS evolves over time.

ISO/IEC 27001 expects information security risk assessment and treatment to function as a disciplined decision process, not as a one-off compliance exercise. Risk work must produce outcomes that are consistent, documented, and traceable to what the organisation implements, accepts, and reviews. In practice, many ISMS struggle with unclear risk criteria, weakly formulated risk statements, fragmented ownership, and treatment plans that do not clearly justify control choices or acceptance decisions.

This module focuses on how ISO/IEC 27001 expects information security risks to be defined, assessed, treated, and evidenced within an ISMS. It concentrates on the required interpretations, documented elements, and traceability relationships between risks, treatment decisions, controls, and acceptance. Emphasis is placed on producing risk artefacts that support governance, management review, and assurance, and that remain usable as the ISMS evolves over time.

Target audience

  • ISMS managers and coordinators implementing ISO/IEC 27001 risk assessment and treatment

  • Information security governance, risk, and compliance professionals supporting ISMS decision-making

  • Control owners and risk owners involved in treatment planning and acceptance decisions

  • Internal auditors and assurance professionals reviewing ISO/IEC 27001 risk artefacts for consistency and traceability (without focusing on audit technique)

  • ISMS managers and coordinators implementing ISO/IEC 27001 risk assessment and treatment

  • Information security governance, risk, and compliance professionals supporting ISMS decision-making

  • Control owners and risk owners involved in treatment planning and acceptance decisions

  • Internal auditors and assurance professionals reviewing ISO/IEC 27001 risk artefacts for consistency and traceability (without focusing on audit technique)

Agenda

Role of risk management inside an ISMS

  • What ISO/IEC 27001 expects risk work to achieve (decision traceability, not paperwork)

  • Interfaces to scope/boundaries, objectives, controls, and management review

ISO/IEC 27001 risk terminology and required definitions

  • Information security risk concepts as used in the standard (risk owners, acceptance, residual risk)

  • What must be defined and maintained as “the method” (without re-teaching the method)

Risk criteria and consistency requirements

  • Translating governance intent into usable criteria (impact, likelihood, acceptance rules)

  • Common failure modes: criteria that cannot be applied consistently or defended

Risk assessment outputs that support treatment decisions

  • What “good risk statements” look like in an ISMS context (clarity, ownership, affected information/processes)

  • Minimum traceability fields to avoid orphan risks and untestable conclusions

Risk treatment expectations and artefacts

  • Treatment options in ISO/IEC 27001 terms and how to evidence decisions

  • Treatment planning: owners, timelines, dependencies, and residual risk handling

Traceability to controls and the SoA interface

  • How risk treatment decisions map into control selection and justification

  • SoA linkage: ensuring every included/excluded control has a defensible rationale connected to treatment decisions

Maintaining risk information over time

  • Review triggers (changes, incidents, performance signals) and practical update routines

  • Keeping risk and treatment artefacts aligned with operational reality and management review inputs

Workshop (case-based)

  • Evaluate a sample ISO/IEC 27001 risk set for criteria clarity, decision quality, and traceability

  • Produce a minimal, defensible treatment and SoA linkage for a subset of risks

Role of risk management inside an ISMS

  • What ISO/IEC 27001 expects risk work to achieve (decision traceability, not paperwork)

  • Interfaces to scope/boundaries, objectives, controls, and management review

ISO/IEC 27001 risk terminology and required definitions

  • Information security risk concepts as used in the standard (risk owners, acceptance, residual risk)

  • What must be defined and maintained as “the method” (without re-teaching the method)

Risk criteria and consistency requirements

  • Translating governance intent into usable criteria (impact, likelihood, acceptance rules)

  • Common failure modes: criteria that cannot be applied consistently or defended

Risk assessment outputs that support treatment decisions

  • What “good risk statements” look like in an ISMS context (clarity, ownership, affected information/processes)

  • Minimum traceability fields to avoid orphan risks and untestable conclusions

Risk treatment expectations and artefacts

  • Treatment options in ISO/IEC 27001 terms and how to evidence decisions

  • Treatment planning: owners, timelines, dependencies, and residual risk handling

Traceability to controls and the SoA interface

  • How risk treatment decisions map into control selection and justification

  • SoA linkage: ensuring every included/excluded control has a defensible rationale connected to treatment decisions

Maintaining risk information over time

  • Review triggers (changes, incidents, performance signals) and practical update routines

  • Keeping risk and treatment artefacts aligned with operational reality and management review inputs

Workshop (case-based)

  • Evaluate a sample ISO/IEC 27001 risk set for criteria clarity, decision quality, and traceability

  • Produce a minimal, defensible treatment and SoA linkage for a subset of risks

Course ID:

HAM-ISRM-1

Audience:

Manager

Auditor

Domain:

Information Security

Available in:

English

Duration:

7 h

List price:

CHF 550

Excl. VAT. VAT may apply depending on customer location and status.

Book

Book

Book

Check in-house options

Check in-house options

Check in-house options

What you get

Learning outcomes

  • Interpret ISO/IEC 27001 requirements for risk assessment and treatment in practical implementation terms

  • Define the ISO/IEC 27001-specific documented elements needed for a consistent risk method (without substituting for generic methodology)

  • Specify risk criteria and risk statement structures that support repeatable, reviewable decisions

  • Produce risk treatment artefacts that clearly evidence ownership, decisions, and residual risk handling

  • Maintain traceability from risks to treatment decisions and control selection, including robust SoA linkage logic

  • Identify common implementation and assurance pitfalls that break consistency, credibility, or traceability

  • Set up lightweight maintenance routines so risk artefacts remain aligned with change and governance cycles

  • Interpret ISO/IEC 27001 requirements for risk assessment and treatment in practical implementation terms

  • Define the ISO/IEC 27001-specific documented elements needed for a consistent risk method (without substituting for generic methodology)

  • Specify risk criteria and risk statement structures that support repeatable, reviewable decisions

  • Produce risk treatment artefacts that clearly evidence ownership, decisions, and residual risk handling

  • Maintain traceability from risks to treatment decisions and control selection, including robust SoA linkage logic

  • Identify common implementation and assurance pitfalls that break consistency, credibility, or traceability

  • Set up lightweight maintenance routines so risk artefacts remain aligned with change and governance cycles

Learning materials

  • Slide deck

  • Participant workbook

  • Certificate of completion

  • Slide deck

  • Participant workbook

  • Certificate of completion

Templates & tools

  • ISO/IEC 27001 risk method definition checklist (documented elements and decision points)

  • Risk statement quality guide (structure and minimum fields)

  • Risk criteria sanity-check worksheet (consistency and usability checks)

  • Risk treatment decision log (options, rationale, ownership, residual risk)

  • Risk-to-control traceability matrix (risk → treatment → control selection)

  • SoA linkage worksheet (treatment rationale → inclusion/exclusion justification)

  • Optional AI prompt set for summarising change signals and drafting consistent risk statements (supporting, not replacing judgement)

  • ISO/IEC 27001 risk method definition checklist (documented elements and decision points)

  • Risk statement quality guide (structure and minimum fields)

  • Risk criteria sanity-check worksheet (consistency and usability checks)

  • Risk treatment decision log (options, rationale, ownership, residual risk)

  • Risk-to-control traceability matrix (risk → treatment → control selection)

  • SoA linkage worksheet (treatment rationale → inclusion/exclusion justification)

  • Optional AI prompt set for summarising change signals and drafting consistent risk statements (supporting, not replacing judgement)

Prerequisites

This module assumes participants can already work with general risk concepts and basic management system logic. Helpful background includes:

  • Understanding of risk terminology, evaluation, and treatment concepts (method-level competence)

  • Familiarity with management system roles, documented information, and governance routines

  • Basic information security literacy (common control categories and typical failure modes)

This module assumes participants can already work with general risk concepts and basic management system logic. Helpful background includes:

  • Understanding of risk terminology, evaluation, and treatment concepts (method-level competence)

  • Familiarity with management system roles, documented information, and governance routines

  • Basic information security literacy (common control categories and typical failure modes)

Strongly recommended preparatory modules

Risk Management Foundations: Consistent Risk and Opportunity Logic Across Management Systems

Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems.

7 h

Risk Management Foundations: Consistent Risk and Opportunity Logic Across Management Systems

Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems.

7 h

Risk Management Foundations: Consistent Risk and Opportunity Logic Across Management Systems

Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems.

7 h

Documentation & Knowledge Foundations: Documented Information, Records, and Organisational Knowledge

Fundamentals of documented information control, records, and knowledge capture for management systems

7 h

Documentation & Knowledge Foundations: Documented Information, Records, and Organisational Knowledge

Fundamentals of documented information control, records, and knowledge capture for management systems

7 h

Documentation & Knowledge Foundations: Documented Information, Records, and Organisational Knowledge

Fundamentals of documented information control, records, and knowledge capture for management systems

7 h

Helpful preparatory modules

The modules below prepare for an optimal learning experience – but are not strictly necessary for participants to follow.

System Foundations: Context, Stakeholders, and System Boundaries

Understand organisational context, stakeholders, and system boundaries

7 h

System Foundations: Context, Stakeholders, and System Boundaries

Understand organisational context, stakeholders, and system boundaries

7 h

System Foundations: Context, Stakeholders, and System Boundaries

Understand organisational context, stakeholders, and system boundaries

7 h

Continuous learning

Follow-up modules

Follow-up modules

After completion of this module, the following modules are ideal to further deepen the participant's competence.

After completion of this module, the following modules are ideal to further deepen the participant's competence.

View all modules

View all modules

HAM-DKF-1

Documentation & Knowledge Foundations

Documentation & Knowledge Foundations: Documented Information, Records, and Organisational Knowledge

Domain

Text

Duration

7 h

List price

CHF 550

View module

HAM-DKF-1

Documentation & Knowledge Foundations

Documentation & Knowledge Foundations: Documented Information, Records, and Organisational Knowledge

Domain

Text

Duration

7 h

List price

CHF 550

View module

HAM-DKF-1

Documentation & Knowledge Foundations

Documentation & Knowledge Foundations: Documented Information, Records, and Organisational Knowledge

Domain

Text

Duration

7 h

List price

CHF 550

View module

HAM-MRF-1

Management Review Foundations

Management Review Foundations: Purpose, Inputs, Decisions, and Evidence

Domain

Text

Duration

7 h

List price

CHF 550

View module

HAM-MRF-1

Management Review Foundations

Management Review Foundations: Purpose, Inputs, Decisions, and Evidence

Domain

Text

Duration

7 h

List price

CHF 550

View module

HAM-MRF-1

Management Review Foundations

Management Review Foundations: Purpose, Inputs, Decisions, and Evidence

Domain

Text

Duration

7 h

List price

CHF 550

View module

Office scene with people standing, walking and sitting

Ready to achieve mastery?

Bring ISO requirements into everyday practice to reduce avoidable issues and strengthen the trust of your customers and stakeholders.

Contact us

Office scene with people standing, walking and sitting

Ready to achieve mastery?

Bring ISO requirements into everyday practice to reduce avoidable issues and strengthen the trust of your customers and stakeholders.

Contact us

Office scene with people standing, walking and sitting

Ready to achieve mastery?

Bring ISO requirements into everyday practice to reduce avoidable issues and strengthen the trust of your customers and stakeholders.

Contact us