ISO 27001 · ANNEX A 2022 MAPPED
ISO 27001 Risk Assessment Services
An ISO 27001 risk assessment is usually the first document your certification auditor opens, and often the one that decides how the rest of the audit goes. If your Stage 1 is on the calendar, the real question isn’t whether you need one. It’s whether the risk register, treatment plan, and Statement of Applicability you’re about to produce will actually survive scrutiny against clause 6.1.2 and the 2022 Annex A control set.
We build those three documents as a connected set: every risk in the register traces to a control in the SoA, every control has a treatment owner and a date, and every technical risk is backed by evidence rather than a guess. That’s the difference between documentation that moves you toward certification and documentation that comes back as a string of nonconformities.
ISO 27001 risk assessments start from $5,500+. Pricing depends on ISMS scope, business units in scope, Annex A coverage depth, and audit timeline.
What Your Auditor Checks at Stage 1 vs. Stage 2
Stage 1 is a documentation review. The auditor confirms your ISMS scope statement (clause 4.3) matches what you’re actually certifying, that your risk methodology defines consistent likelihood and impact criteria, that the risk register applies that methodology, and that your Statement of Applicability gives a justification for every one of the 93 Annex A 2022 controls, including the ones you’ve excluded. A vague exclusion (“not applicable”) without a documented rationale is one of the most common Stage 1 findings.
Stage 2 is where it gets harder. The auditor samples evidence that the controls in your SoA are actually operating, not just written down. For technical controls under clause A.8, vulnerability management (8.8), monitoring activities (8.16), security testing in development (8.29), that means they’ll ask: where’s the evidence this control is functioning? A risk register entry that says “external attacker exploits a web application vulnerability, likelihood: medium” needs something behind it. If the answer is “we haven’t tested that,” it’s a finding.
Our risk assessment is built with Stage 2 in mind from the start, not patched up after a Stage 1 pass.
Why a Vulnerability Scanner Doesn’t Satisfy Annex A 8.8
Annex A 8.8 requires that information about technical vulnerabilities be obtained in a timely manner, that the organization’s exposure to those vulnerabilities be evaluated, and that appropriate measures be taken. A lot of organizations run an automated scan, attach the PDF to their risk register, and treat 8.8 as closed. Increasingly, auditors don’t accept that, and for good reason.
A scanner flags what’s potentially exploitable based on version banners and known CVEs. It doesn’t chain findings together, doesn’t test business logic, and produces a list of CVSS scores that have nothing to do with your actual environment. The “exposure evaluated” requirement in 8.8 implies someone determined whether a vulnerability is actually reachable and exploitable in context, which is exactly what a scan output can’t tell you.
A manual-led penetration test, run by certified testers against your in-scope systems, gives the risk register real likelihood and impact data instead of a vendor’s severity rating. It’s also the evidence your SoA points to for 8.8, 8.16, and 8.29, and it’s the artifact most auditors expect to see referenced when those controls are marked applicable. If your ISMS scope includes externally facing infrastructure, this is usually the single highest-value addition to a risk assessment engagement.
What You Get: The Audit-Ready Deliverable Set
Every deliverable is built to be handed directly to your auditor or your internal audit team, not reformatted first.
DELIVERABLE
ISMS scope statement
Context of the organization, internal/external issues, and interested parties (clause 4.3), aligned to your certification boundary.
DELIVERABLE
Asset inventory
Classified assets with named owners, ready for the SoA cross-reference.
DELIVERABLE
Risk methodology
Documented criteria, scoring scales, and risk acceptance thresholds.
DELIVERABLE
Risk register
Threats, vulnerabilities, existing controls, and risk ratings, with each entry mapped to an Annex A control.
DELIVERABLE
Risk treatment plan
Selected controls, owners, target dates, and residual risk sign-off.
DELIVERABLE
Statement of Applicability (SoA)
Full Annex A 2022 mapping with justification for every inclusion and exclusion.
DELIVERABLE
Executive summary
Written for leadership sign-off and for the auditor’s first read.
DELIVERABLE
Pre-audit readiness review
A findings walkthrough conducted the way an assessor would run it.
ISO 27001 Evidence Pack
This is what an auditor will physically see and ask about during your engagement.
- ISMS scope statement mapped to your certification boundary, with named exclusions justified
- Risk register (matrix format) with an Annex A 2022 cross-reference column for every entry
- Statement of Applicability covering all 93 controls, inclusion/exclusion justified individually
- Risk treatment plan with owner, target date, and residual risk acceptance recorded per item
- Technical vulnerability assessment or penetration test report, mapped explicitly to controls A.8.8, A.8.16, and A.8.29
- Internal audit checklist derived from the risk register, ready for your internal audit cycle
- Management review input pack aligned to clause 9.3 reporting requirements
- Pre-Stage-1 mock review notes documenting what was checked and resolved before the real audit
If your ISMS scope doesn’t currently include a recent technical assessment, we’ll flag that early. It’s the most common reason a risk register stalls during Stage 2.
Our Process
1. Discovery and scoping. We confirm your ISMS boundary, business processes, and the systems and data in scope.
2. Asset and context mapping. Asset inventory, data classification, ownership, and data flows.
3. Threat and vulnerability identification. Workshops with your team plus a review of any existing technical evidence, scan results, prior pentest reports, architecture docs.
4. Risk evaluation. Likelihood and impact scoring against your defined methodology, with risk acceptance thresholds applied consistently.
5. Annex A control mapping. Selecting and justifying controls for the SoA, including documented rationale for exclusions.
6. Treatment planning. Owners, target dates, and budget for each treatment action, with residual risk explicitly recorded.
7. Pre-audit readiness review. A findings walkthrough run the way an assessor would conduct it, so nothing in the deliverable set surprises you during the real audit.
Where the engagement includes a technical assessment of in-scope systems, that work runs in parallel and feeds directly into the risk register and SoA, not as a separate report that someone has to manually reconcile later.
If Your Audit Is Six Weeks Out
Weeks 1–2: Scoping call, ISMS boundary confirmation, asset inventory, and kickoff of any technical assessment work in parallel.
Weeks 3–4: Risk register build, Annex A mapping, and technical assessment findings integrated as evidence for technical controls.
Week 5: SoA drafted with justifications for every control, treatment plan assigned to owners, executive summary written.
Week 6: Pre-audit readiness review, we walk through the deliverable set the way your auditor will, flag anything that needs tightening, and hand over the final pack.
This timeline assumes reasonable availability from your side for workshops and evidence requests. If you’re closer than six weeks out, tell us where things stand on the scoping call and we’ll tell you honestly what’s achievable in the time you have.
ISO 27001 Risk Assessment Packages
| Tier | Starting price | Best for | Key inclusions |
|---|---|---|---|
| Starter — Risk Register | From $5,500+ | Organizations building their first ISO 27001-aligned risk register | ISMS scope confirmation and methodology · asset inventory and risk register creation · high-level Annex A mapping (defined scope) · risk treatment plan outline · executive summary deliverables pack |
| Professional — SoA + Treatment | From $9,500+ | Teams approaching Stage 1 who need the SoA and treatment plan audit-ready | Everything in Starter, plus: full Statement of Applicability with control-by-control justification · expanded Annex A coverage · treatment actions with owners and timelines · one follow-up readiness call |
| Enterprise — Audit Roadmap | From $15,000 | Larger organizations or near-term audits needing deeper documentation | Everything in Professional, plus: expanded business unit coverage · Stage 1/Stage 2 audit roadmap · internal audit preparation guidance · optional monthly check-ins |
For teams not yet ready for a full risk assessment, an ISO 27001 Gap Sprint is available from $3,500+, scoped to ISMS maturity and desired Annex A depth. Pricing for any package depends on ISMS scope, business units in scope, Annex A coverage depth, and how close your audit date is. See pricing details or book a scoping call for a fixed quote.
If your risk assessment surfaces gaps that need fixing before certification, our ISO 27001 Remediation Services cover that work directly.
Frequently Asked Questions
How long before our Stage 1 audit should we start the risk assessment?
Six weeks gives enough room for asset mapping, risk scoring, Annex A justification, and a pre-audit review without rushing. If you’re inside that window, it’s still workable, but the scope of what’s achievable narrows. Tell us your audit date on the scoping call and we’ll be direct about what fits.
What’s actually in the SoA, and is it ready to hand to the auditor as-is?
The SoA covers all 93 Annex A 2022 controls with a documented justification for each inclusion and exclusion, cross-referenced to the risk register. It’s built in the format auditors expect to review, not a summary that needs rework before submission.
Do we need a penetration test alongside the risk assessment?
If your ISMS scope includes externally facing systems, yes, it’s the evidence auditors look for behind controls A.8.8, A.8.16, and A.8.29. Without it, those controls in your SoA have no technical backing. We can scope this as a combined engagement or run it separately if you’ve had recent testing done elsewhere.
We already built a risk register internally. Can you validate it instead of starting from scratch?
Yes. We review your existing risk register and SoA against the methodology and Annex A 2022, recalibrate scoring where it’s inconsistent, and fill the gaps that would otherwise show up as Stage 2 findings. This is usually faster and less expensive than a full rebuild.
What does this cost if we’re already close to our audit date?
Engagements start from $5,500+ for the Starter package. Final pricing depends on ISMS scope, the number of business units involved, how deep your Annex A coverage needs to go, and your audit timeline. Tell us where you are and we’ll quote a fixed price on the scoping call.
Tell Us Where You Are in Your ISO 27001 Cycle
Whether you’re starting from a blank risk register or validating one you’ve already built, we’ll scope exactly what’s needed for your audit date and quote it as a fixed price.
Looking to fix gaps? Visit ISO 27001 Remediation Services.