CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

Dejan Kosutic

How to assess consequences and likelihood in ISO 27001 risk analysis

Author: Dejan Kosutic

If you’re assessing the information security risks in your company, then identifying assets, threats, and vulnerabilities is only the first half of the job. (See also ISO 27001 risk assessment: How to match assets, threats and vulnerabilities.) The second half of the job, no less important and no less difficult, is to calculate how big the risk is – this is achieved through assessing the consequences (also called the impact) if the risk materializes, and assessing how likely the risk is to happen; with this information, you can easily calculate the level of risk.

ISO 27001 doesn’t really tell you how to do your risk assessment, but it does tell you that you must assess consequences and likelihood, and determine the level of risk – therefore, it’s up to you to figure out how to do it. You’ll find a couple of approaches in this article: these are my favorites, but there are other ways to do it as well – for more approaches see ISO 27005, the standard that explains information security risk assessment in more detail.

Note: No matter which approach you select, you have to document it in your risk methodology – see this article for explanation: How to write ISO 27001 risk assessment methodology.

Simple risk assessment

There are basically two ways to analyze the risks using the qualitative method – let’s call them simple risk assessment, and detailed risk assessment. (I’ll cover the quantitative method in another article.)

In simple risk assessment you assess the consequences and the likelihood directly – once you identify the risks, you simply have to use scales to assess separately the consequences and the likelihood of each risk. For example, you can use the scale of 0 to 4, where 0 would be very low, 1 low, 2 medium, and so on, or the scale 1 to 10, or Low-Medium-High, or any other scale. The larger the scale, the more precise the results you will have, but also the more time you will spend performing the assessment.

So, for example, in simple risk assessment you might have something like this:

  • Asset: laptop
  • Threat: theft
  • Vulnerability: employees do not know how to protect their mobile devices
  • Consequences: 3 (on a scale from 0 to 4)
  • Likelihood: 4 (on a scale from 0 to 4)

Detailed risk assessment

In the detailed risk assessment, instead of assessing two elements (consequences and likelihood), you assess three elements: asset value, threat, and vulnerability. So, here’s an example of this detailed risk assessment:

  • Asset: laptop
  • Threat: theft
  • Vulnerability: employees do not know how to protect their mobile devices
  • Asset value: 3 (on a scale from 0 to 4)
  • Threat value: 2 (on a scale from 0 to 2)
  • Vulnerability value: 2 (on a scale from 0 to 2)

When you think about this more closely, through these three elements in detailed risk assessment, you will indirectly assess the consequences and likelihood: by assessing the asset value, you are simply assessing which kind of damage (i.e., consequence) could happen to this asset if its confidentiality, integrity, or availability is endangered; both threats and vulnerabilities directly influence the likelihood – the higher the threat and the higher the vulnerability, the more likely the risk will happen, and vice versa.

And basically, this is it – if you’re a smaller company, simple risk assessment will be enough for you; if you’re a mid-size or a larger company, detailed risk assessment will do the job. And you don’t need to add any more elements, because that would only make your job more difficult. See also: How to organize initial risk assessment according to ISO 27001 and ISO 22301.

Why is evaluating both assets and consequences wrong?

Very often I see companies implementing simple risk assessment (i.e., they directly assess consequences and likelihood), but they also add the asset value to this assessment.

Why is this wrong? Because of the simple fact that they already assessed the consequences once, so they don’t need to assess them again through the asset value.

So, again – don’t try to outsmart yourself and create something complex just because you feel like it.

How to calculate the level of risk

Calculating risk is actually very simple – this is usually done through addition (e.g., 2 + 5 = 7) or through multiplication (e.g., 2 x 5 = 10). If you use a Low-Medium-High scale, then this is the same as using 1-2-3, so you still have numbers for calculation.

So, using the above examples, here is how to calculate the risk using addition:

  • Simple risk assessment: Consequences (3) + Likelihood (4) = Risk (7)
  • Detailed risk assessment: Asset value (3) + Threat value (2) + Vulnerability value (2) = Risk (7)

In detailed risk assessment, you’ll notice that I used the scale 0 to 4 for assessing the asset value, and smaller scales 0 to 2 for assessing threats and vulnerabilities. This is because the weight of consequence should be the same as the weight of likelihood – since threats and vulnerabilities jointly “represent” the likelihood, their maximum added value is 4, the same as for the asset (i.e., consequence) value.

After you’ve calculated the risks, you have to evaluate whether they are acceptable or not, and then move on to the next step: the risk treatment. To see all the steps in risk management, read this article: ISO 27001 risk assessment & treatment – 6 basic steps.

Don’t be a perfectionist

So, to conclude: risk management in general, but especially risk assessment and risk analysis, may seem like a perfect opportunity to make things complicated – since the requirements of ISO 27001 are rather simplistic, you can add numerous elements in trying to make your approach more “scientific.”

But, you have to ask yourself one question: is your goal to create a perfect risk assessment that will need to be performed for several months or maybe years (because your employees simply won’t understand what is it all about and will try to avoid you), or is your goal to finish this process in a reasonable timeframe, knowing that it won’t be 100% accurate, but it will at least identify the main risks, and will start your people thinking about the necessity of protecting company information?

Click here to register for a free webinar  The basics of risk assessment and treatment according to ISO 27001 that will explain the details of the risk assessment (webinar recording also available).

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

6 responses to “How to assess consequences and likelihood in ISO 27001 risk analysis”

  1. What is my name Name says:

    Hello everyone! My question is how do these calculations of risk take under consideration the CIA Triad.

    • Jones Jardel Poersch says:


      You need to create criterias to take it when you are setting the values for threat and vulnerabilities.

      How will you set a value for a threat? (for example)

      Is this threat regarding a zero-day?
      Is this threat affecting confidentiality, integrity and availability (all of them)?

      You can get informations about the threat from CVE to have am idea of value for the threat, is a good way too.

      And if we are talking about vulnerabilities?

      The same, create your criterias.

    • You should consider confidentiality, integrity and availability when assessing the consequences. Basically, there are two approaches:
      1) Applying only one assessment that takes into account all 3 factors (C-I-A) into account, or
      2) Applying 3 assessments – separately for confidentiality, integrity and availability – in that case, the total value of consequence is the highest out of this three.

      For both of these approaches you can use the scales like Low-Medium-High, or 0 to 4, or something else.

  2. Jones Jardel Poersch says:

    Hi Dejan
    When we are using the detailed risk assessment approach and we need to set a value to an asset / threat / vulnerability, what are the criterias usually used?


    • Rhand Leal says:

      Valuing an asset is basically the same thing as evaluating impact, so you should consider which kind of damage could happen if the confidentiality, integrity, or availability of this asset is endangered. Types of impact you may consider are impact on productivity, market share, customer confidence, etc. The higher
      the impact associated to this asset, the higher is its value for the organization.

      For valuing a threat, the most common aspects considered are attacker knowledge, motivation and available resources. The higher these values are , the higher is the risk the threat represents .

      For valuing an vulnerability, the most common aspects considered are how know the vulnerability is, how easy is to be discovered, how easy it is to be exploited, and how easy it is to be accessed. The higher these values are, the higher is the risk the vulnerability represents.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.