C H A P T E R 0 4
Risk Assessment Methodology
Clause 6.1.2 of ISO 27001 requires the organisation to define and apply a documented, repeatable information security risk assessment process. This is the engine of the ISMS — every control selection, every resource allocation, and every management review agenda item should trace back to a risk that has been identified, evaluated, and treated through this process. An ISMS without a functioning risk assessment methodology is, in the auditor's view, an ISMS that does not meet the standard's intent.
The standard does not prescribe a specific methodology. Some organisations adopt ISO 27005 (the companion standard for information security risk management), others use NIST SP 800-30, and many develop their own approach calibrated to their context. What the standard does require is that the methodology produces consistent, valid, and comparable results — meaning two people assessing the same risk should arrive at substantially similar conclusions.
The 5 x 5 Risk Matrix
The most commonly adopted approach — and the one we recommend for most organisations — is a semi-quantitative 5 x 5 matrix that plots likelihood (1–5) against impact (1–5) to produce a risk score between 1 and 25. Each axis is anchored to defined criteria: likelihood ranges from "rare" (less than once every 5 years) to "almost certain" (expected to occur multiple times per year); impact ranges from "negligible" (no material effect) to "catastrophic" (existential threat to the organisation). These criteria must be documented and approved by management before the first risk assessment begins.
Six-Step Risk Assessment Process
- •1. Define risk criteria: Establish the likelihood and impact scales, risk appetite thresholds, and acceptable risk levels. These must be approved by top management and documented in the risk management policy.
- •2. Asset inventory: Build a comprehensive inventory of information assets within the ISMS scope — data, hardware, software, facilities, people, and services. Each asset should have an assigned owner.
- •3. Threat and vulnerability identification: For each asset (or asset group), identify plausible threats (e.g., ransomware, insider theft, natural disaster) and the vulnerabilities that could be exploited (e.g., unpatched systems, lack of MFA, no off-site backups).
- •4. Risk evaluation: Apply the likelihood and impact criteria to each threat-vulnerability pair to calculate a risk score. Plot results on the risk matrix and prioritise by score.
- •5. Risk treatment: For each risk above the acceptable threshold, select a treatment option: mitigate (apply controls), transfer (insurance or outsourcing), avoid (cease the activity), or accept (with documented justification and management sign-off).
- •6. Statement of Applicability (SoA): Document which Annex A controls are applicable, which are implemented, which are planned, and which are excluded (with justification). The SoA is one of the most scrutinised documents during the Stage 1 audit.
Common mistakes: The three most frequent risk assessment failures we encounter are: (1) asset inventories that are too high-level to support meaningful threat identification, (2) risk criteria that were never formally approved by management, and (3) SoAs that use the old 2013 Annex A numbering instead of the 2022 structure — an immediate finding in any audit against the current standard.
Complio generates a pre-populated SoA template aligned to ISO 27001:2022 Annex A, with each of the 93 controls mapped to evidence requirements and linked to the risk register. This eliminates the manual cross-referencing that consumes significant effort in traditional implementations.
C H A P T E R 0 5
Annex A Controls — Selection and Implementation
A persistent misconception about ISO 27001 is that all 93 Annex A controls are mandatory. They are not. The standard requires organisations to determine which controls are necessary based on their risk assessment results and to document their applicability decisions in the Statement of Applicability. A control can be excluded provided the exclusion is justified — typically because the risk it addresses does not exist within the ISMS scope, or because an alternative control adequately mitigates the risk.
That said, most organisations find that the majority of controls are applicable. In our experience, a typical SoA for a mid-sized technology company will declare 80–90 of the 93 controls as applicable. The controls most commonly excluded are those related to physical security (for fully remote organisations) or secure coding (for organisations that do not develop software).
Organisational Controls (37 Controls)
This is the largest theme and covers the governance and management aspects of information security. Key controls include A.5.1 (policies for information security — the foundational policy set that every ISMS requires), A.5.2 (information security roles and responsibilities — ensuring every control has a defined owner), A.5.7 (threat intelligence — the new requirement for organisations to collect, analyse, and act on relevant threat data), A.5.12 (classification of information — a prerequisite for effective access control and data handling), A.5.19 (information security in supplier relationships — governing third-party risk), A.5.23 (cloud services — one of the most impactful new controls), and A.5.26 (response to information security incidents — requiring a documented incident response process with defined roles).
People Controls (8 Controls)
The people theme addresses the human element of information security. A.6.3 (information security awareness, education, and training) requires more than an annual online quiz — auditors expect role-specific training programmes with participation records and competency assessments. A.6.4 (disciplinary process) ensures there are documented consequences for policy violations. A.6.7 (remote working) has taken on new significance in the post-pandemic environment, requiring organisations to define security expectations for home offices, personal devices, and remote network connections.
Physical Controls (14 Controls)
Physical controls cover the protection of facilities, equipment, and physical media. A.7.1 through A.7.3 address physical security perimeters, entry controls, and office security. A.7.4 (physical security monitoring) is a new control requiring surveillance systems for premises that house sensitive information assets. A.7.7 (clear desk and clear screen) remains a standard requirement — simple in concept but frequently non-compliant in practice, particularly in open-plan offices.
Technological Controls (34 Controls)
This theme covers the technical security controls that most IT teams are familiar with. Access control (A.8.2 through A.8.5) covers user access management, privileged access, and multi-factor authentication — A.8.5 now explicitly requires MFA for all access to systems processing sensitive information, not just remote access. Secure development (A.8.25 through A.8.28) covers the secure software development lifecycle, including the new A.8.28 (secure coding) requirement. Configuration management (A.8.9 — new) requires documented, monitored baselines for all system components. DLP (A.8.12 — new) requires controls to prevent unauthorised data exfiltration across all channels. Vulnerability management (A.8.8) and logging/monitoring (A.8.15 and A.8.16) round out the technical control baseline.
Largest gap areas:Across our ISO 27001:2022 gap assessments, the four controls that most frequently present significant gaps are A.5.23 (cloud services — no documented cloud security policy), A.8.12 (DLP — no technical DLP capability deployed), A.5.7 (threat intelligence — no structured process for threat data collection), and A.8.9 (configuration management — no baseline configurations documented or monitored).
Complio maps each applicable control to specific evidence requirements and assigns ownership, creating a living compliance register that tracks implementation status and flags overdue items. Combined with our ISO 27001 certification service, this approach ensures that control implementation stays on track throughout the project lifecycle.
C H A P T E R 0 6
The 6–12 Month Implementation Roadmap
How long does ISO 27001 implementation take? The honest answer depends on your starting point. Organisations with an existing, documented security programme — formal policies, an asset register, regular risk assessments, and established governance — can typically achieve certification in 6 months. Those with documented policies but inconsistent implementation usually require 9 months. Organisations starting from scratch — no formal security programme, limited documentation, and ad-hoc processes — should plan for 12 months. These timelines are drawn from 45+ real engagements across Asia-Pacific and assume a dedicated project lead with adequate management support.
The following roadmap describes the 12-month path — the most common scenario for first-time certifiers. Organisations with greater maturity can compress the early phases and focus their effort on gap remediation and evidence collection.
| Month | Phase | Key Deliverables |
|---|
| 1 | Project Initiation | Executive sponsorship secured, project charter approved, ISMS project team formed, Complio deployed |
| 2 | Context & Scope | Clause 4.1/4.2 analysis complete, scope statement drafted, interested parties register created |
| 3 | Risk Assessment | Risk methodology approved, asset inventory complete, threat/vulnerability identification started |
| 4 | Risk Treatment | Risk evaluation complete, risk treatment plan approved, SoA drafted |
| 5–6 | Policy Development | Core ISMS policies written (information security, access control, acceptable use, incident response, supplier management, etc.), approved by management |
| 6–7 | Control Implementation | Technical controls deployed (MFA, logging, DLP, vulnerability scanning), physical controls verified, supplier agreements updated |
| 7–8 | Awareness & Training | Security awareness programme launched, role-specific training delivered, training records captured in Complio |
| 8–9 | Operational Run | ISMS operating in production — incidents logged, changes managed, access reviews conducted, evidence collected |
| 9–10 | Internal Audit | Full internal audit conducted against ISO 27001:2022, findings documented, corrective actions initiated |
| 10–11 | Management Review | Management review meeting held (Clause 9.3), ISMS performance reviewed, improvement actions approved |
| 11 | Pre-Assessment | Optional pre-assessment by EIC to identify residual gaps before certification audit |
| 12 | Certification Audit | Stage 1 (documentation review) and Stage 2 (on-site assessment) conducted by accredited CB |
Key Dependencies
Three dependencies consistently determine whether an implementation stays on schedule. First, executive sponsorship — the ISMS requires policy approvals, resource allocation, and management review participation that only senior leadership can provide. Implementations without an engaged executive sponsor routinely exceed their timeline by 3–6 months. Second, IT cooperation — technical control implementation (MFA rollout, logging configuration, DLP deployment) depends on IT teams that have their own project backlogs. Early alignment with the IT department is critical. Third, supplier contracts — updating supplier agreements to include information security requirements (A.5.19, A.5.20) often involves legal review and re-negotiation, which can introduce delays of 4–8 weeks per supplier.
EIC manages this end-to-end through our ISO 27001 certification service, providing a dedicated Lead Auditor who acts as project director, Complio for evidence management, and fortnightly steering calls to maintain momentum and flag blockers early.
C H A P T E R 0 7
The Certification Audit — What to Expect
The ISO 27001 certification audit is a two-stage process conducted by an accredited certification body (CB) in accordance with IAF MD 1 (the International Accreditation Forum's mandatory document for management system audits). It is important to understand that EIC acts as the implementation partner — we help you build the ISMS, prepare the documentation, and achieve audit readiness. The certification body is a separate, independent entity. This separation is mandated by ISO 17021 (requirements for audit and certification bodies) and ensures the integrity of the certification process.
Stage 1: Documentation Review
Stage 1 is typically 1–2 days and focuses on the ISMS documentation. The auditor reviews the scope statement, information security policy, risk assessment methodology and results, Statement of Applicability, internal audit reports, and management review minutes. The purpose is to confirm that the ISMS documentation is complete, aligned to ISO 27001 requirements, and ready for a Stage 2 on-site assessment. The auditor will also plan the Stage 2 audit — identifying areas of emphasis, confirming logistics, and scheduling interviews. Stage 1 findings are typically observations or minor non-conformities related to documentation gaps. A major non-conformity at Stage 1 (e.g., no risk assessment conducted, no internal audit completed) will delay Stage 2 until the issue is resolved.
Stage 2: On-Site ISMS Audit
Stage 2 is the main certification audit, typically 2–5 days depending on the scope size and complexity. The auditor assesses whether the ISMS is effectively implemented and operating as documented. This involves interviews with personnel across the organisation (not just the security team), evidence review (logs, screenshots, configuration files, training records, incident reports), control testing (verifying that controls described in the SoA are actually in place), and observation (watching processes in action — access provisioning, change management, incident handling). The auditor samples across all clauses and applicable Annex A controls but does not test every control exhaustively. The sampling approach is risk-based, with higher scrutiny on controls related to the organisation's most significant risks.
Audit Findings
- •Major non-conformity: A significant failure to meet a requirement of the standard, or a situation that raises substantial doubt about the ISMS's ability to achieve its intended outcomes. Major NCs must be resolved before the certificate can be issued. Examples: no risk assessment conducted, critical controls not implemented despite being declared applicable in the SoA.
- •Minor non-conformity: A partial failure to meet a requirement that does not undermine the overall effectiveness of the ISMS. Minor NCs must be addressed within a defined timeframe (typically 90 days) with evidence of corrective action submitted to the CB. Examples: a policy approved but not communicated to staff, an access review overdue by one cycle.
- •Observation (opportunity for improvement): A finding that does not constitute a non-conformity but represents a potential weakness or improvement opportunity. Observations do not need formal corrective action but should be considered during management review. Examples: training records stored in multiple locations, risk register formatting inconsistencies.
After Certification
The certificate is valid for three years. Annual surveillance audits (typically 1 day each) verify that the ISMS continues to operate effectively. The CB audits a subset of clauses and controls each year, rotating coverage so that all areas are reviewed at least once during the three-year cycle. In year 3, a full recertification audit is conducted — essentially a repeat of the Stage 1 + Stage 2 process — to determine whether the certificate should be renewed for another three years.
EIC's role: We prepare you for certification — we do not issue the certificate ourselves. This separation between implementation partner and certification body is mandated by ISO 17021 and is fundamental to the credibility of the certification. We work with all major accredited CBs operating in Asia-Pacific and can recommend options based on your industry and geographic footprint.
C H A P T E R 0 8
ROI and Business Case — The CFO Section
This chapter is written for the person who signs the purchase order. ISO 27001 certification is a business investment, and like any investment, it should be evaluated on return. The security team can articulate the risk reduction benefits; this section provides the financial framework to justify the expenditure to a CFO, finance director, or board audit committee.
The ROI of ISO 27001 certification is driven by three quantifiable factors: new contract wins, cyber insurance premium reduction, and compliance overhead reduction through Complio. Each is examined below with representative ranges drawn from EIC client data across Asia-Pacific.
1. Contract Wins — Revenue Protection and Growth
ISO 27001 certification is increasingly a pass/fail criterion in enterprise procurement. Multinational corporations, financial institutions, and government agencies routinely require ISO 27001 certification from suppliers that handle sensitive data. Without the certificate, your proposal is screened out before evaluation begins — regardless of price or capability. The revenue impact is direct: contracts you cannot bid on represent lost revenue with a clear causal link to the absence of certification. Our clients consistently report that ISO 27001 certification opened access to enterprise RFPs that were previously inaccessible, with individual contract values ranging from USD 100,000 to USD 2 million annually.
2. Cyber Insurance Premium Reduction
Cyber insurance underwriters increasingly recognise ISO 27001 certification as a material risk reduction factor. Certified organisations demonstrate a systematic approach to risk management that correlates with lower claim frequency and severity. Premium reductions of 10–20% are common, translating to annual savings of USD 5,000 to USD 40,000 depending on organisation size, industry, and coverage limits. Some underwriters offer additional premium benefits for organisations that can demonstrate continuous compliance monitoring through platforms like Complio, as this provides assurance that the ISMS operates effectively between annual surveillance audits.
3. Complio Overhead Reduction
The ongoing maintenance of an ISMS — evidence collection, control monitoring, internal audit preparation, management review reporting, and surveillance audit readiness — consumes significant staff time. In organisations managing these activities through spreadsheets, shared drives, and email, we typically observe 1.5–2.5 FTE dedicated to ISMS maintenance. Complio reduces this by 40–50%, saving 0.5–1.5 FTE — equivalent to USD 20,000 to USD 75,000 annually in fully loaded staff costs. The platform automates evidence collection, sends control-owner reminders, generates audit-ready reports, and maintains a continuously updated risk register that eliminates the annual scramble before surveillance audits.
Simple ROI calculation:Year 1 investment: Implementation partner fees + CB audit fees + Complio licence + internal staff time. Ongoing annual cost: Complio licence + surveillance audit fee + reduced staff time. Annual benefit: New contract revenue + insurance savings + overhead reduction. Most organisations achieve positive ROI within 12–18 months of certification, with the breakeven point determined primarily by contract win value.
Regulatory Recognition
Beyond direct financial return, ISO 27001 certification satisfies or substantially addresses regulatory requirements across Asia-Pacific. MAS TRM (Singapore), BNM RMiT (Malaysia), and Bangladesh Bank's ICT Security Guidelines all reference ISO 27001 as an accepted framework. Organisations subject to these regulations can leverage their ISO 27001 certification to demonstrate compliance, reducing duplication of effort and the need for separate regulatory assessments. For organisations also considering ISO 22301 (business continuity), dual certification offers additional savings — the management system structure, internal audit programme, and management review process are shared, reducing the marginal cost of the second certification by 30–40%.