CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

What has changed in risk assessment in ISO 27001:2013

Author: Dejan Kosutic

Risk assessment has always been a hot topic, and especially now with the changes in the ISO 27001 2013 revision – there are many doubts as to whether the risk assessment you’ve done according to the 2005 revision needs to be changed, and if yes – how big the change is.

The myths

Let’s start with a couple of myths related to risk management that have developed around ISO 27001:2013:

  • “We have to use ISO 31000 for risk management.” False – ISO 31000 is only mentioned in ISO 27001:2013, but it is not mandatory. (See also ISO 31000 and ISO 27001 – How are they related?)
  • “We have to delete assets, threats and vulnerabilities from our risk assessment.” False again – you can keep your old methodology if you like it, because ISO 27001:2013 leaves you the freedom to identify risks any way you want.
  • “We do not have to identify asset owners anymore.” Another false statement – although ISO 27001:2013 does not require you to identify asset owners as part of the risk assessment, it does require you to do it in control A.8.1.2. (See also Risk owners vs. asset owners in ISO 27001:2013)
  • “The identification of risks based on confidentiality, integrity and availability (C-I-A) is a new concept.” False – this concept existed in ISO 27001:2005, too; actually, the whole standard is based on the concept of protecting the C-I-A from the very beginning.

What has changed in risk management in ISO 27001:2013

As you’ll see, the changes are not very significant:

  • Top-level Information security policy does not need to establish criteria against which risks will be evaluated – this was the requirement of ISO 27001:2005 4.2.1 b) 4); in ISO 27001:2013, you still need to define the risk assessment criteria, but not as part of the top-level policy.
  • As mentioned before, you do not need to use the assets-threats-vulnerabilities methodology to identify risks – for example, you can identify risks based on your processes, based on your departments, using only threats and not vulnerabilities, or any other methodology you like.
  • You need to identify risk owners for each risk.
  • ISO 27001:2005 required management to approve residual risks, as well as implementation and operation of the ISMS. On the contrary, in ISO 27001:2013 the risk owners must accept the residual risks and approve the Risk treatment plan.
  • Treatment options in the 2013 revision are not limited only to applying controls, accepting risks, avoiding risks, and transferring risks as they were in the 2005 revision – basically, you are free to consider any treatment option you find appropriate.

One indirect change that is not visible at first reading of the standard is that risk management has taken the role of preventive actions (preventive actions do not exist in the 2013 revision any more) – only when reading the clause 6.1.1 of ISO 27001:2013 more carefully does this becomes obvious. But this change makes sense – preventive actions are nothing other than concluding what negative things can happen in the future, and taking action to prevent them – and this is exactly what risk assessment and treatment is also about. Therefore, ISO 27001:2013 has only corrected what was not very logical in ISO 27001:2005, and the good thing is you do not have to change your risk assessment process because of it.

So, as you can see, the changes in risk assessment and treatment are relatively minor, and if you’ve done a good job with ISO 27001:2005, then you’ll find the transition to the 2013 revision of ISO 27001 relatively easy. All you need to do is identify risk owners for each risk, and give them the responsibility to make decisions about the risks.

Click here to download free white paper  Twelve-step transition process from ISO 27001:2005 to 2013 revision.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

Dejan Kosutic
Lead ISO 27001/ISO 22301 Expert, Advisera


Upcoming free webinar
How to integrate GDPR with ISO 27001
Wednesday – September 25, 2019



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.