This is another one of the ISO 27001 clauses that gets automatically completed where the organisation has already evidenced its information security management work in line with requirements 6.1, 6.2 and in particular 7.5 where the whole ISMS is clearly documented.

The organisation must perform information security risk assessments at planned intervals and when changes require it - both of which need to be clearly documented.

Whilst information security risk assessment can be done to a very basic level in a spreadsheet, it is far better to have a tool that makes light work of the risk assessments documentation side as is the case with ISMS.online. There are also many very specialist and expensive security risk assessment applications where one could spend all day thinking about risk assessment let alone its treatment! Our view on whether to use spreadsheets, ISMS.online or a very expensive specialist application is to look at the information value at risk, the capacity, capability and confidence of the resources being applied to the ISMS and the whole ISMS management, not just the risk component. See here for more on the characteristics of the software for an ISMS, and if considering build versus buy on the information security management system solution itself, the business case planner may well be useful to review as well