07/04/2026
Clarifying when Risk Assessment should take place during ISO 27001 Certification
There have been different interpretations of the requirements of Clauses 6 and 8 of the standard regarding when risk assessment should happen
While some implementers think that risk assessment is performed in both clauses, others think actual risk assessment is performed in clause 8 while clause 6 is only to document risk assessment methodology and risk treatment plan
We all know that SoA is produced in clause 6. The BIG question is that if risk assessment is performed ONLY in clause 8, how would you know which controls to include in SOA if there is no risk assessment happens in clause 6?
The answer is: you cannot produce a meaningful SoA without a conducting risk assessment first, and the standard knows this. The sequencing in the standard is logical, but confuses many implementers
Clarifying further:
Clause 6.1.2 says: define your methodology and perform an initial risk assessment.
Read carefully, Clause 6.1.2(c) requires the organisation to “DEFINE (document methodology) & APPLY (implement what you have defined) the risk assessment process” it is not purely methodology definition.
It requires actual identified risks with likelihood and impact scores to be produced.
Clause 6.1.3 then says: based on those identified risks, select controls, produce the SoA, and document the risk treatment plan.
Read 6.1.3a carefully “select appropriate information security risk treatment options, taking account of the risk assessment results”.
How then can you have risk assessment results without first conducting risk assessment?
Clause 8.2 then says: perform the risk assessment “at planned intervals and when significant changes occur”.
Meaning that you perform your subsequent risk assessments after the initial one, to keep the risk register current. The subsequent risk assessment is triggered by changes and it is routinely done
Clause 8.3 says: implement the risk treatment plan that was documented in 6.1.3 and keep implementing it as 8.2 updates the risk picture.
To summarise, the real sequence is:
Step 1 - 6.1.2 Define methodology AND perform the initial risk assessment
Step 2 - 6.1.3 Select controls, produce SoA, document RTP based on the result of risk assessment in 6.1.2
Step 3 - 8.2 Perform subsequent risk assessments as part of annual reviews, change-triggered
Step 4 - 8.3 Implement and maintain the RTP updated as 8.2 produces new outputs
Clause 6.1.2 is doing double duty: it is both the methodology definition and the first ex*****on. Clause 8.2 is the repeat cycle (routine) as part of maintaining and improving the ISMS