A guide to creating a risk assessment matrix

One of the most important tasks when implementing ISO 27001, the international standard for information security, the risk assessment. 

The results of a risk assessment help you identify the threats your organisations face and the controls you need to implement. 

This can be hugely beneficial for organisations in the Gulf, which have consistently struggled to manage cyber threats. A Gartner report released last year found that organisations in the Gulf spend 66% on data breach recovery than the global average. 

With ISO 27001, organisations are much more likely to detect vulnerabilities and address them before they are exploited. Risk assessments are at the centre of this, and they are conducted via a risk assessment matrix. 

What is a risk assessment matrix? 

A core principle of ISO 27001 is that organisations can’t expect to address every risk they face. There are simply too many ways to be exploited, and tackling them all would be too expensive and time-consuming. 

A risk assessment matrix is a scoring system that enables organisation to determine which threats pose the biggest threats and which are unlikely to have an effect. 

Using the risk assessment matrix 

The matrix is essentially a scoring system. One axis represents the probability of a risk occurring and the other represents the damage it will cause. The central grid comprises the scores based on their combined totals. 

Here’s an example of a risk assessment matrix: 

As you can see, the matrix is colour-coded based on a series of thresholds: 1–3 is in green, 4–6 is in yellow, and so on. Organisations can use these groups to help them prioritise their risks. 

For example, they might say that anything that scores higher than a 6 must be addressed, and anything below that isn’t significant enough to be addressed. 

Your cut-off point will depend on the resources at your disposal. The lower your limit, the more risks you need to address and the more of ISO 27001’s controls you’ll need to implement. 

You’ll obviously want to mitigate as many risks as possible, but remember, implementing more controls means you’ll be spreading your resources more thinly and you’ll have to spend longer maintaining and reviewing your compliance practices. 

How does the scoring system work? 

There’s no universal system for assigning a score to a certain level of damage or probability. Organisations must decide that themselves, and document their rationale in their risk assessment methodology. 

As a general guide, it’s worth remembering that the highest and lowest scores have to be indefinite. That is to say, they will be set as ‘anything that occurs more/less often than…’ and ‘anything that causes more/less amount of damage…’ 

These should therefore be the first two thresholds you set, because they will affect how precise your scoring system will be and how many risks you’ll address. The higher your maximum value is, the lower the chances are of a risk scoring top marks. The reverse is true of your minimum value. 

Get help documenting your risk assessment process 

IT Governance’s ISO27001 ISMS Documentation Toolkit includes a complete set of templates for everything you need to meet the Standard’s requirements, including comprehensive coverage of the risk assessment process. 

This toolkit makes it easy to document your: 

  • Risk assessment procedure; 
  • Risk management framework; and 
  • Risk treatment plan 

Designed and developed by expert ISO 27001 practitioners, and enhanced by more than ten years of customer feedback and continual improvement, our ISO 27001 toolkit provides the guidance and tools you need for a hassle free compliance process. 

Try it for free >>