How long does an ISO 27001 risk assessment take?

Risk assessments are at the heart of ISO 27001, but they often have a reputation for being time-consuming and difficult.

But how long should the risk assessment process take? The answer depends on which tool you use.

Risk assessment tools

Some organisations go for a no- or low-cost approach, using spreadsheets to tackle their ISO 27001 risk assessment.

Although this is at first glance most economical route, it will take the longest amount of time. That’s because you have to create a structure that’s appropriate to your organisation and enter the information manually.

With this approach, you can expect to spend about one week planning the risk assessment. It will take another day per risk owner or asset owner to enter the relevant information, and a further week to complete the risk assessment.

Finally, you must review the results of the risk assessment, which can take up to four weeks, bringing the total length of time to 40 days.

By comparison, those who use the risk assessment tool vsRisk can complete the process in as little as eight days.

Its built-in library of risks and assets speeds up the time it takes to plan and perform the assessment – and it drastically cuts the length of review process.

Won’t it cost more?

The opposite might actually be true. Depending on the scale of your project, a vsRisk project can cost you as little as £49.95 a month.

If you aren’t using our software but want the same assurance that your risk assessment has been completed in line with ISO 27001’s requirements, you will need to hire an ISO 27001 lead risk assessor, which will cost several thousand pounds.

Even if you don’t hire a professional, the manhours it would take to complete the process manually makes vsRisk an attractive alternative.

To help you make your choice, we’re currently offering a free two-week trial of vsRisk.

You can get to grips with its built-in library of risks and controls, track and manage key threats and generate reports, including the risk treatment plan.


A version of this blog was originally published on 12 March 2019.

No Responses

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.