Clause 6.1.2 of ISO/IEC 27001:2022 describes how organisations may approach the identification of information security risks and opportunities using defined methods and risk criteria. Unlike Clause 6.1.3, which addresses risk treatment and control selection, Clause 6.1.2 focuses on how risks are identified, analysed, and evaluated within the scope of the ISMS.
For SMEs and startups, this clause may support a proportionate and practical approach to risk identification that aligns with organisational context, information types, and available resources. Rather than relying on complex frameworks or enterprise-level tools, smaller organisations often apply simpler, repeatable methods that remain consistent with ISO 27001 principles.
This article explains Clause 6.1.2 using SME-focused steps, illustrative examples, and guidance that organisations may use to support clarity, consistency, and alignment with ISO/IEC 27001:2022.
What Clause 6.1.2 Covers
Clause 6.1.2 describes activities organisations typically address when identifying information security risks and opportunities, including:
- Defining a repeatable method for identifying information security risks and opportunities
- Establishing risk criteria prior to conducting analysis
- Applying the chosen method consistently across the defined ISMS scope
- Considering opportunities that may improve ISMS effectiveness
- Maintaining documented information that reflects the process and outcomes
The clause does not specify:
- Particular software or tools
- Mathematical scoring methods or complex formulas
- A prescribed risk management framework
- Selection of controls or Annex A mapping (addressed separately under Clause 6.1.3)
SME Tip: Many SMEs find that focusing on clarity, consistency, and relevance may support practical risk identification, without the overhead of complex tools or models.
Step 1: Establish Risk Criteria
Risk criteria describe how an organisation may evaluate the potential impact and likelihood of risks and the level of risk that is considered acceptable. Clear criteria at the outset may help support consistent and repeatable decision-making, particularly for SMEs.
Risk criteria typically consider:
- Internal and external context (Clause 4.1).
- Expectations of interested parties (Clause 4.2).
- Types of information and assets processed.
Impact Criteria (CIA Model)
Impact reflects the potential consequences if a risk materialises, focusing on how incidents could affect Confidentiality, Integrity, and Availability (CIA) of information. In ISO 27001 risk assessment, impact levels commonly help guide prioritisation and decisions about risk treatment.
Illustrative Examples:
|
Level |
Confidentiality |
Integrity |
Availability |
|
High |
Exposure of sensitive, contractual, or customer data |
Alteration of essential business data |
Outage affecting important services or processes |
|
Medium |
Limited disclosure of internal information |
Minor discrepancies with minimal operational effects |
Temporary slowdown or disruption |
|
Low |
Low sensitivity data exposed |
Trivial inconsistencies |
Short inconvenience with minimal impact |
Likelihood Criteria
Likelihood refers to the probability that a risk may occur, based on observable factors and historical context. It may help organisations prioritise which risks could need closer attention.
Illustrative Examples:
- High: Plausible under current conditions; similar issues observed internally or in comparable organisations
- Medium: Possible but less frequent; partial safeguards exist
-
Low: Limited pathways for occurrence; controls are applied consistently
Risk Acceptance Criteria
Risk acceptance criteria indicate what level of risk an organisation may tolerate and who may approve residual risk.
Illustrative Examples:
- High risks: Organisations may choose to address these promptly.
- Medium risks: Organisations may choose to mitigate or document justification.
- Low risks: Organisations may choose to accept risk with clear rationale.
SME Tip: Recording approval responsibilities for residual risks may support accountability and transparency.
Step 2: Identify Information Security Risks
This step supports the identification of information security risks across the ISMS scope, in line with ISO 27001 Clause 6.1.2. A structured approach can help organisations capture risks consistently and in a repeatable manner.
a) Identify Assets and Information Types
Begin by listing key assets and information that support business operations and may require protection.
Illustrative Examples:
- Customer data, HR records, intellectual property
- Source code repositories, cloud workloads, payment systems
- Operational processes, production environment
b) Identify Threats and Vulnerabilities
Map each asset to potential threats and known vulnerabilities that could affect confidentiality, integrity, or availability.
Illustrative Examples:
- Misconfigurations in cloud resources
- Lack of monitoring or logging
- Phishing or social engineering risks
- Excessive access rights or single-person dependencies
c) Consider Internal and External Issues (Clause 4.1)
Organisations may consider internal structures, processes, technology, and external factors such as regulatory requirements, suppliers, or market conditions when identifying risks.
Illustrative Examples:
- Technology stack and system interdependencies
- Organisational changes or restructures
- Supplier or third-party dependencies
- Regulatory landscape or compliance requirements
- Resource constraints such as staffing, budget, or expertise
d) Consider Interested Party Requirements (Clause 4.2)
Consider the expectations and requirements of interested parties – including customers, partners, and regulators – when identifying risks and opportunities.
Illustrative Examples:
- Contractual obligations and security requirements from customers or partners
- Data handling and privacy obligations
- Industry norms, reporting standards, or regulatory requirements
e) Identify Process-Specific Risks
Examine processes where risks may arise or have a notable impact on information security.
Illustrative Examples:
- Deployment and change management
- Account provisioning and offboarding
- Third-party onboarding
- Core operational workflows
f) Consider Existing Controls
Risk identification may take into account the current control environment. This helps provide context and may support more informed decision-making regarding potential risks and resource allocation.
Step 3: Identify Opportunities
Opportunities are ways organisations may consider improving ISMS processes or aspects of information security. Rather than creating an exhaustive list, focusing on a few actionable and relevant improvements can help small teams apply changes in a manageable way. This step aligns with ISO 27001 Clause 6.1.2 guidance on identifying risks and opportunities.
Illustrative Examples:
- Adjusting monitoring or alerting to potentially reduce response time
- Reviewing backup routines or validation processes
- Refining access provisioning workflows
- Updating staff training based on recurring incidents
SME Tip: Two or three meaningful opportunities may support improved processes while remaining manageable for small teams, depending on organisational context.
Step 4: Analyse and Evaluate Risks
Organisations may use any consistent method – qualitative scales, ordinal scoring, or likelihood × impact models – when analysing and evaluating risks. ISO 27001 Clause 6.1.2 does not prescribe mathematical formulas; clarity, repeatability, and alignment with the defined risk criteria may support more consistent risk assessment.
Example Qualitative Model
The following table illustrates how an SME might evaluate risks:
|
Risk |
Likelihood |
Impact |
Risk Level |
Notes |
|
Unauthorised access to cloud console |
Medium |
High |
Medium-High |
MFA applied inconsistently; privilege drift noted |
|
Production misconfiguration |
Medium |
High |
Medium-High |
Deployment paths differ across environments |
|
Dependency on single engineer |
High |
Medium |
Medium-High |
Knowledge concentrated in one team member |
Including a brief rationale for each evaluation may help maintain context and transparency in decision-making.
Step 5: Document Results
Organisations may record risk assessment results in any format that works for their team. Common elements often include:
- Asset or process
- Threat and vulnerability
- Impact and likelihood
- Risk level
- Existing controls
- Opportunity
- Responsible role
- Review frequency
Documentation that is clear and structured may help teams reference the records consistently and support understanding of the method, criteria, and outputs.
Step 6: Prepare for Clause 6.1.3
After identifying, analysing, and evaluating risks under Clause 6.1.2, organisations may consider the following next steps:
- Determine potential treatment options
- Select relevant controls
- Map risks to Annex A controls
- Integrate findings into the Statement of Applicability (SoA)
Following a structured Clause 6.1.2 approach may support more consistent application of these activities and can provide a reference framework that organisations may use for managing information security processes.
Frequently Asked Questions – Clause 6.1.2 for SMEs
Q: How many risks should an SME document?
A: Organisations may start with around 10 – 20 high-relevance risks that could meaningfully affect the organisation. Focusing on a manageable number of risks can support clarity and ease of use.
Q: Do SMEs need numerical scoring for risks?
A: Numerical scoring is optional. A simple qualitative or ordinal model may be sufficient, provided it is applied consistently across all identified risks.
Q: How often may risks be reviewed?
A: The overall risk assessment is usually reviewed annually or after significant changes (e.g. in business, systems, or regulations). Organisations may consider different review frequencies based on risk level:
- High Risks: Organisations may consider reviewing monthly or quarterly for active monitoring.
-
Medium / Low Risks: Organisations may consider reviewing quarterly or annually to track treatment and monitor status.
Q: Can one person handle risk identification in an SME?
A: Yes, but involving multiple stakeholders is generally recommended to capture diverse perspectives and reduce potential blind spots.
Practical Steps for SMEs to Identify Risks and Opportunities
Clause 6.1.2 offers SMEs a practical approach to identifying information security risks and opportunities in a repeatable and proportionate way aligned with ISO/IEC 27001:2022. By defining risk criteria, documenting assets and threats, considering internal and external factors, and analysing risks with simple, consistent methods, organisations may improve clarity, accountability, and informed decision-making in their ISMS.
These steps can also support progression to Clause 6.1.3, where risk treatment and control selection are considered. Applying this approach may help SMEs maintain effective information security practices while keeping processes manageable, relevant, and suited to business priorities.
Next Steps: Organisations may choose to implement this structured risk identification method and prepare to link outputs to Clause 6.1.3 for treatment and control selection. For practical templates, see the ISO 27001 (Risk Management) templates and ISO 27001 templates.
Next Articles: In Common ISO 27001 Misconceptions Among SMEs, the article clarifies common ISO 27001 misconceptions among SMEs and explains how small businesses can implement a scalable, risk-based ISMS effectively.
Related Guides
Explore these ISO 27001 resources to help your SME build a practical, lean ISMS:
Start Here: Complete Guide
- ISO 27001 for SMEs and Startups: The Chill Implementation Guide (2026 Edition) – Full roadmap covering all clauses and Annex A controls, with practical steps, examples, and guidance.
A. ISO 27001 Foundations – Detailed Guides by Topic
-
ISO 27001 Requirements: A Clause-by-Clause Summary and Practical Guide for SMEs – Practical ISO 27001 guidance for SMEs, with step-by-step instructions, examples, and tips to build an efficient and effective ISMS.
- Common ISO 27001 Misconceptions Among SMEs – A practical overview of common SME misunderstandings about ISO 27001 and how to approach implementation more confidently.
- Who Needs ISO 27001? Use Cases for SMEs, Startups, and SaaS – Practical guidance on when ISO 27001 adds value, key use cases, and alternatives for businesses not ready for full certification.
- ISO 27001 vs SOC 2: Comparison Guide for SMEs and Startups – Clear, practical guidance for SMEs and startups on choosing between ISO 27001 and SOC 2, with key differences, use cases, and implementation tips.
Please Note: This article provides general information only and does not constitute legal, regulatory, or compliance advice. Using our products or following this guidance cannot guarantee certification, improved business outcomes, or regulatory compliance. Organisations remain responsible for ensuring all actions meet certification and compliance requirements.