New Information Security Risk Entry
Rate the impact on each CIA dimension independently. The CIA Impact Score = max(C, I, A) is used in risk calculation.
Map this risk to applicable ISO 27001:2022 Annex A controls. Select all relevant controls.
The CIA Triad โ ISO 27001:2022 Core Concept
The CIA Triad is the foundation of information security. ISO 27001 requires organisations to protect information against threats to all three dimensions. Each risk must be assessed for its potential impact on Confidentiality, Integrity and Availability.
Confidentiality
Information is only accessible to those authorised to have access. Breaches occur when data is disclosed to unauthorised parties.
Threats: Data breaches, hacking, eavesdropping, social engineering, insider threats, lost/stolen devices
Controls: Encryption, access controls, MFA, DLP, classification, NDAs (Annex A 5.12, 8.3, 8.24)
Integrity
Information and systems are accurate, complete and unmodified by unauthorised parties. Data can be trusted.
Threats: Data tampering, SQL injection, malware corruption, man-in-the-middle, configuration errors
Controls: Hashing, digital signatures, change management, audit logs, input validation (Annex A 8.9, 8.32, 5.3)
Availability
Authorised users have access to information and systems when needed. Outages prevent legitimate access.
Threats: DDoS attacks, ransomware, hardware failure, power outages, natural disasters, human error
Controls: Backups, redundancy, DR planning, UPS, capacity management, patch management (Annex A 8.13, 8.14, 5.30)
ISO 27001:2022 Scoring Methodology
In this tool: Risk Score = Likelihood ร max(C, I, A). The highest CIA impact value drives the overall risk, ensuring that a critical impact on any single dimension is captured. Scores range from 1โ25 across four risk bands.
ISO 27001 Risk Treatment Options โ Clause 6.1.3
Clause 6.1.3 requires organisations to select appropriate risk treatment options and identify necessary controls. Treatment must result in a risk level within the organisation's risk appetite.
Modify (Treat / Mitigate)
Implement or enhance security controls to reduce the likelihood or impact of the risk to an acceptable level. Most common treatment option.
Use when: Risk exceeds appetite and controls are feasible and cost-effective. Select appropriate Annex A controls.
Avoid (Eliminate)
Remove the activity, asset or process that gives rise to the risk. Eliminates the risk entirely but may reduce business functionality.
Use when: Risk is unacceptably high and the activity is not essential to business objectives.
Share (Transfer)
Transfer some or all of the risk to a third party through insurance, outsourcing or contractual obligations.
Use when: The risk cannot be cost-effectively reduced internally. Note: shared risk still requires management.
Accept (Retain)
Consciously decide to retain the risk without further controls. Requires formal documented approval from senior management.
Use when: Risk is within appetite or treatment costs outweigh the benefit. Must be reviewed regularly.
Statement of Applicability (SoA)
ISO 27001 requires a Statement of Applicability listing all 93 Annex A controls with inclusion/exclusion justification. This register supports SoA preparation by mapping each risk to applicable controls. Use the Annex A page for the complete control reference.
ISO 27001:2022 โ Clause 6.1 Guidance
Clause 6.1.2 requires a formal information security risk assessment process that establishes risk acceptance criteria, identifies risks to information confidentiality, integrity and availability, assigns risk owners, and analyses and evaluates risks.
6.1.2 โ Risk Assessment
Define risk criteria. Identify information security risks via systematic process. Assign risk owners. Analyse and evaluate risks. Produce documented results.
6.1.3 โ Risk Treatment
Select treatment options. Determine Annex A controls needed. Produce SoA. Implement risk treatment plan. Get approval from risk owners.
Risk Acceptance
Residual risks must be formally accepted by risk owners. Acceptance must be documented and reviewed at defined intervals or when changes occur.
Review Frequency
Risk assessments must be performed at planned intervals and when significant changes occur. ISO 27001 recommends at least annual review.