The InfoSec Blog

About ISO 27001 Risk Statement and Controls

Posted by Anton Aylward

On the ISO27000 Forum list, someone asked:

I'm looking for Risk statement for each ISO 27k control; meaning
"what is the risk of not implementing a control".

That's a very ingenious way of looking at it!

One way of formulating the risk statement is from the control
objective mentioned in the standard.
Is there any other way out ?

Ingenious aside, I'd be very careful with an approach like this.

Risks and controlsare not, should not, be 1:1.