ISO 27001 · ANNEX A 2022 MAPPED

ISO 27001 Risk Assessment Services

An ISO 27001 risk assessment is usually the first document your certification auditor opens, and often the one that decides how the rest of the audit goes. If your Stage 1 is on the calendar, the real question isn’t whether you need one. It’s whether the risk register, treatment plan, and Statement of Applicability you’re about to produce will actually survive scrutiny against clause 6.1.2 and the 2022 Annex A control set.

We build those three documents as a connected set: every risk in the register traces to a control in the SoA, every control has a treatment owner and a date, and every technical risk is backed by evidence rather than a guess. That’s the difference between documentation that moves you toward certification and documentation that comes back as a string of nonconformities.

ISO 27001 risk assessments start from $5,500+. Pricing depends on ISMS scope, business units in scope, Annex A coverage depth, and audit timeline.

soa-excerpt.yaml
# Statement of Applicability — excerpt

A.5.1 Policies for information security A.5.1 MAPPED
A.5.9 Inventory of information and assets A.5.9 MAPPED
A.5.23 Information security for cloud services A.5.23 GAP
A.8.8 Management of technical vulnerabilities A.8.8 GAP
A.8.16 Monitoring activities A.8.16 GAP
A.8.24 Use of cryptography A.8.24 MAPPED
A.8.29 Security testing in development A.8.29 MAPPED
A.5.30 ICT readiness for continuity A.5.30 MAPPED

What Your Auditor Checks at Stage 1 vs. Stage 2

Stage 1 is a documentation review. The auditor confirms your ISMS scope statement (clause 4.3) matches what you’re actually certifying, that your risk methodology defines consistent likelihood and impact criteria, that the risk register applies that methodology, and that your Statement of Applicability gives a justification for every one of the 93 Annex A 2022 controls, including the ones you’ve excluded. A vague exclusion (“not applicable”) without a documented rationale is one of the most common Stage 1 findings.

Stage 2 is where it gets harder. The auditor samples evidence that the controls in your SoA are actually operating, not just written down. For technical controls under clause A.8, vulnerability management (8.8), monitoring activities (8.16), security testing in development (8.29), that means they’ll ask: where’s the evidence this control is functioning? A risk register entry that says “external attacker exploits a web application vulnerability, likelihood: medium” needs something behind it. If the answer is “we haven’t tested that,” it’s a finding.

Our risk assessment is built with Stage 2 in mind from the start, not patched up after a Stage 1 pass.

Why a Vulnerability Scanner Doesn’t Satisfy Annex A 8.8

Annex A 8.8 requires that information about technical vulnerabilities be obtained in a timely manner, that the organization’s exposure to those vulnerabilities be evaluated, and that appropriate measures be taken. A lot of organizations run an automated scan, attach the PDF to their risk register, and treat 8.8 as closed. Increasingly, auditors don’t accept that, and for good reason.

A scanner flags what’s potentially exploitable based on version banners and known CVEs. It doesn’t chain findings together, doesn’t test business logic, and produces a list of CVSS scores that have nothing to do with your actual environment. The “exposure evaluated” requirement in 8.8 implies someone determined whether a vulnerability is actually reachable and exploitable in context, which is exactly what a scan output can’t tell you.

A manual-led penetration test, run by certified testers against your in-scope systems, gives the risk register real likelihood and impact data instead of a vendor’s severity rating. It’s also the evidence your SoA points to for 8.8, 8.16, and 8.29, and it’s the artifact most auditors expect to see referenced when those controls are marked applicable. If your ISMS scope includes externally facing infrastructure, this is usually the single highest-value addition to a risk assessment engagement.

What You Get: The Audit-Ready Deliverable Set

Every deliverable is built to be handed directly to your auditor or your internal audit team, not reformatted first.

DELIVERABLE

ISMS scope statement

Context of the organization, internal/external issues, and interested parties (clause 4.3), aligned to your certification boundary.

DELIVERABLE

Asset inventory

Classified assets with named owners, ready for the SoA cross-reference.

DELIVERABLE

Risk methodology

Documented criteria, scoring scales, and risk acceptance thresholds.

DELIVERABLE

Risk register

Threats, vulnerabilities, existing controls, and risk ratings, with each entry mapped to an Annex A control.

DELIVERABLE

Risk treatment plan

Selected controls, owners, target dates, and residual risk sign-off.

DELIVERABLE

Statement of Applicability (SoA)

Full Annex A 2022 mapping with justification for every inclusion and exclusion.

DELIVERABLE

Executive summary

Written for leadership sign-off and for the auditor’s first read.

DELIVERABLE

Pre-audit readiness review

A findings walkthrough conducted the way an assessor would run it.

ISO 27001 Evidence Pack

This is what an auditor will physically see and ask about during your engagement.

  • ISMS scope statement mapped to your certification boundary, with named exclusions justified
  • Risk register (matrix format) with an Annex A 2022 cross-reference column for every entry
  • Statement of Applicability covering all 93 controls, inclusion/exclusion justified individually
  • Risk treatment plan with owner, target date, and residual risk acceptance recorded per item
  • Technical vulnerability assessment or penetration test report, mapped explicitly to controls A.8.8, A.8.16, and A.8.29
  • Internal audit checklist derived from the risk register, ready for your internal audit cycle
  • Management review input pack aligned to clause 9.3 reporting requirements
  • Pre-Stage-1 mock review notes documenting what was checked and resolved before the real audit

If your ISMS scope doesn’t currently include a recent technical assessment, we’ll flag that early. It’s the most common reason a risk register stalls during Stage 2.

Our Process

1. Discovery and scoping. We confirm your ISMS boundary, business processes, and the systems and data in scope.

2. Asset and context mapping. Asset inventory, data classification, ownership, and data flows.

3. Threat and vulnerability identification. Workshops with your team plus a review of any existing technical evidence, scan results, prior pentest reports, architecture docs.

4. Risk evaluation. Likelihood and impact scoring against your defined methodology, with risk acceptance thresholds applied consistently.

5. Annex A control mapping. Selecting and justifying controls for the SoA, including documented rationale for exclusions.

6. Treatment planning. Owners, target dates, and budget for each treatment action, with residual risk explicitly recorded.

7. Pre-audit readiness review. A findings walkthrough run the way an assessor would conduct it, so nothing in the deliverable set surprises you during the real audit.

Where the engagement includes a technical assessment of in-scope systems, that work runs in parallel and feeds directly into the risk register and SoA, not as a separate report that someone has to manually reconcile later.

If Your Audit Is Six Weeks Out

Weeks 1–2: Scoping call, ISMS boundary confirmation, asset inventory, and kickoff of any technical assessment work in parallel.

Weeks 3–4: Risk register build, Annex A mapping, and technical assessment findings integrated as evidence for technical controls.

Week 5: SoA drafted with justifications for every control, treatment plan assigned to owners, executive summary written.

Week 6: Pre-audit readiness review, we walk through the deliverable set the way your auditor will, flag anything that needs tightening, and hand over the final pack.

This timeline assumes reasonable availability from your side for workshops and evidence requests. If you’re closer than six weeks out, tell us where things stand on the scoping call and we’ll tell you honestly what’s achievable in the time you have.

ISO 27001 Risk Assessment Packages

TierStarting priceBest forKey inclusions
Starter — Risk RegisterFrom $5,500+Organizations building their first ISO 27001-aligned risk registerISMS scope confirmation and methodology · asset inventory and risk register creation · high-level Annex A mapping (defined scope) · risk treatment plan outline · executive summary deliverables pack
Professional — SoA + TreatmentFrom $9,500+Teams approaching Stage 1 who need the SoA and treatment plan audit-readyEverything in Starter, plus: full Statement of Applicability with control-by-control justification · expanded Annex A coverage · treatment actions with owners and timelines · one follow-up readiness call
Enterprise — Audit RoadmapFrom $15,000Larger organizations or near-term audits needing deeper documentationEverything in Professional, plus: expanded business unit coverage · Stage 1/Stage 2 audit roadmap · internal audit preparation guidance · optional monthly check-ins

For teams not yet ready for a full risk assessment, an ISO 27001 Gap Sprint is available from $3,500+, scoped to ISMS maturity and desired Annex A depth. Pricing for any package depends on ISMS scope, business units in scope, Annex A coverage depth, and how close your audit date is. See pricing details or book a scoping call for a fixed quote.

If your risk assessment surfaces gaps that need fixing before certification, our ISO 27001 Remediation Services cover that work directly.

Frequently Asked Questions

How long before our Stage 1 audit should we start the risk assessment?

Six weeks gives enough room for asset mapping, risk scoring, Annex A justification, and a pre-audit review without rushing. If you’re inside that window, it’s still workable, but the scope of what’s achievable narrows. Tell us your audit date on the scoping call and we’ll be direct about what fits.

What’s actually in the SoA, and is it ready to hand to the auditor as-is?

The SoA covers all 93 Annex A 2022 controls with a documented justification for each inclusion and exclusion, cross-referenced to the risk register. It’s built in the format auditors expect to review, not a summary that needs rework before submission.

Do we need a penetration test alongside the risk assessment?

If your ISMS scope includes externally facing systems, yes, it’s the evidence auditors look for behind controls A.8.8, A.8.16, and A.8.29. Without it, those controls in your SoA have no technical backing. We can scope this as a combined engagement or run it separately if you’ve had recent testing done elsewhere.

We already built a risk register internally. Can you validate it instead of starting from scratch?

Yes. We review your existing risk register and SoA against the methodology and Annex A 2022, recalibrate scoring where it’s inconsistent, and fill the gaps that would otherwise show up as Stage 2 findings. This is usually faster and less expensive than a full rebuild.

What does this cost if we’re already close to our audit date?

Engagements start from $5,500+ for the Starter package. Final pricing depends on ISMS scope, the number of business units involved, how deep your Annex A coverage needs to go, and your audit timeline. Tell us where you are and we’ll quote a fixed price on the scoping call.

Tell Us Where You Are in Your ISO 27001 Cycle

Whether you’re starting from a blank risk register or validating one you’ve already built, we’ll scope exactly what’s needed for your audit date and quote it as a fixed price.

Looking to fix gaps? Visit ISO 27001 Remediation Services.

Scroll to Top
Pentest_Testing_Corp_Logo
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.