Most organisations approaching ISO 27001 inherit a system that has been engineered into the ground. Online risk platforms with thousands of fields. Risk registers with 200 rows. Statements of Applicability that read like a thesis. None of this is required by the standard, none of it is what your team will actually maintain, and most of it gets quietly abandoned within a year of certification. There is a simpler approach that is fully ISO 27001:2022 compliant, easier to defend at audit, and stays usable.
Why ISO 27001 Risk Assessment Has Become Overcomplicated
Most online risk platforms are built to look thorough rather than to be useful. They generate enormous registers because the marketing implies that more rows means better coverage. They also typically push the optional ISO 27001:2022 risk attributes onto the Statement of Applicability, which is illogical. A risk attribute belongs with the risk it describes, not duplicated against a list of controls. The result is a register that nobody on the operational side understands, an SoA that has become a dumping ground, and a system that creates work without reducing risk.
What ISO 27001 Risk Assessment Actually Requires
Clause 6.1.2 sets four requirements. A documented process that produces consistent and comparable results. Identification of risks to confidentiality, integrity and availability of information within the ISMS scope. Analysis and evaluation against documented criteria. Risk treatment decisions linked to the Statement of Applicability. That is the substance of it. The standard is deliberately flexible on method, and asset-based, scenario-based, or hybrid approaches all comply. What it does not require is hundreds of rows, an online platform, or risk attributes attached to the SoA.
Why the ISO 27001 Statement of Applicability Should Stay Lean
Here is the practical reason most consultants do not raise. The version reference of your Statement of Applicability is recorded on your ISO 27001 certificate. If you reissue the SoA, the version on the certificate no longer matches the current document, which can trigger a re-audit. The implication is straightforward. Anything you can keep out of the SoA, you should keep out. Detailed implementation notes, evidence references, risk attribute matrices, and threat mappings all belong elsewhere in the management system, where they can be updated freely without touching the certified document. The SoA itself should state which controls apply, the inclusion reason, and a short cross-reference to where each control is implemented. Nothing more.
How a Simple ISO 27001 Risk Assessment Works in Practice
A practical risk register identifies the risks that genuinely apply to the organisation, around 25 to 30 for a typical SME, and assesses each one properly. For each risk: threat scenarios, CIA impact, inherent rating, current controls described concretely, the Annex A controls that apply, ISO 27001:2022 risk attributes attached to the risk where they belong, residual rating against acceptance criteria, treatment decision, and a named owner. Twenty-seven well-chosen risks beat 200 generic ones at audit every time.
Our ER15 Information Security Risks Register ties risk attributes directly to the risk and the relevant Annex A controls in one place, exactly where they should sit. The F-IMS26 Statement of Applicability stays deliberately lean, with a one-line justification per control referencing the relevant IMS1 manual section. Together they replace the bloat with something maintainable, and the SoA stays stable enough to avoid unnecessary reissuing.
The downloadable templates are blank versions ready to populate. The fully worked sample data versions, with the 27 example risks and complete SoA control mappings, are included with the alphaZ subscription alongside the rest of the document library.
Download the ER15 Information Security Risks Register
Download the F-IMS26 Statement of Applicability
Published: 29 April 2026
