top of page

How Lead Auditors Assess Risk Under ISO 27001

  • Feb 26
  • 3 min read

How to Run an ISO 27001 Internal Audit: A Step-by-Step Guide for 2026

ISO 27001 Risk Assessment


In my experience as a Lead Auditor, I’ve seen many organisations approach ISO 27001 risk assessment as a creative writing exercise. They’ll start by building a massive spreadsheet, filling it with ‘low, medium, high’ labels and hope I don't look too closely at the underlying detail.

But in 2026, with cyber threats evolving at machine speed, auditors have had to change their approach to adjust to a much more threatening landscape. What we’re not looking for is a perfect list of risks. We want to see a robust and repeatable methodology that proves your leadership understands the threats to your specific business crown jewels.


1. The Methodology: It’s Not About the Tool, It’s About the Logic


Under Clause 6.1.2, ISO 27001:2022 is surprisingly non prescriptive. It doesn't tell you how to assess risk, only that you must have a process that is consistent and valid.


When I step into a room to audit your Information Security Management System (ISMS), I start by looking at your criteria. I’m checking here to see if your definitions of "Impact" and "Likelihood" are actually aligned with your business reality.


Auditor Tip: If your "High Impact" risk level is defined as a £10k loss, but your company clears £100m in revenue, your methodology is fundamentally flawed. Your risk appetite must be calibrated to your business goals.


2. The Crown Jewels Test: Asset Based vs. Scenario Based


While the 2022 update allows for more scenario based auditing, I still look to see how you identify your primary assets. A Lead Auditor assesses your risk by asking:

  • Confidentiality: Who can see this data?

  • Integrity: Can I trust that this data hasn't been tampered with?

  • Availability: Can my team access this data during a DDoS attack or a hardware failure?

In 2026, this also extends to AI Assets. So If your risk assessment doesn't account for model weights or training data integrity, then you’re leaving a huge blind spot in your audit.


3. Clause 6.1.3: The Statement of Applicability (SoA)


I see the risk assessment as the ‘diagnosis’  and the Statement of Applicability (SoA) as the ‘prescription’ if we were to use medical terms to highlight how these two aspects work.


As a Lead Auditor, I cross reference your Risk Treatment Plan directly with your SoA. If you identified ‘Unauthorised Access’ as a high risk, but you’ve excluded Annex A.5.15 (Access Control) from your SoA, then I’m flagging an immediate Major Non-Conformity.


Auditors look for the ‘Why’. Why did you choose this control? Why did you exclude that one? If the justification is that you claim to not operate a certain control, I’ll be looking for evidence to prove it.


4. The Calculation: Moving Beyond Simple Maths


Risk can often be simplified into a formula. So for formal auditing purposes, an auditor will look at:

Risk =  Likelihood x Impact


However, a sophisticated 2026 audit should also consider Vulnerability and Threat as part of the equation.


  • Threat: The external force (e.g., a ransomware gang).

  • Vulnerability: The internal weakness (e.g. an unpatched legacy server).


If your assessment shows a high threat but no recognised vulnerability, I’m likely to challenge your ‘Likelihood’ score.


5. Common Pitfalls I Catch in 2026 Audits


  • Static Risk Registers: If your risk register hasn't been updated since 2024, then I’d be very concerned and would be marking it as a Major Non-Conformity. Auditors want to see that the Plan-Do-Check-Act (PDCA) cycle is actually spinning and in place for your organisation.

  • Ignoring the Supply Chain: Third-party risk is the #1 vector for breaches this year. If your assessment stops at your office door, it’s incomplete and unfit for purpose.

  • Lack of Management Buy In: If top management hasn't signed off on the Risk Appetite, the ISMS lacks the authority required by Clause 5.1.

Conclusion: Resilience is the Goal


Lead Auditors don't want to fail you. We want to ensure that if a crisis hits tomorrow, your business survives. A high quality risk assessment isn't a hurdle to certification and should be seen realistically as a blueprint for Operational Resilience.


Is your risk assessment ready for a 2026 audit?






Sampson ISO Audit & Consult Ltd

Comments

bottom of page