7 Steps to perform a Cybersecurity Risk Assessment aligned with ISO 27001 and NIS2

Performing a cybersecurity risk assessment that satisfies both ISO 27001 and the NIS2 Directive can feel overwhelming, especially with the EU's tightened compliance landscape. But organisations that align their risk assessment processes with both frameworks gain a strategic advantage: streamlined audits, reduced compliance friction, and a resilient security posture that meets strict European standards.

This guide walks you through seven essential steps to conduct a cybersecurity risk assessment that satisfies both standards, turning compliance into a competitive strength.

1. Establish and document your Risk Assessment Methodology

Before identifying a single risk, define and document how your organisation will assess cybersecurity threats. ISO 27001 Clause 6.1.2 and NIS2 Article 21 both require a systematic, repeatable methodology that produces consistent, auditable results.

Your methodology should include:

• Risk criteria: Define what constitutes high, medium, and low risk, including your risk appetite and acceptance threshold
• Assessment approach: Choose between asset-based (identifying threats to specific information assets) or scenario-based (evaluating threat scenarios across systems)
• Scoring method: Document whether you'll use qualitative (low/medium/high), semi-quantitative (numeric scales), or fully quantitative (financial impact) risk calculations
• Roles and responsibilities: Assign risk owners, assessment facilitators, and approval authorities, NIS2 mandates that management bodies approve and oversee cybersecurity measures
• Review frequency: Establish when assessments will be repeated (annually, after major incidents, or when business changes occur)

Organisations aligned with both ISO 27001 and NIS2 should ensure their methodology explicitly addresses supply chain security, incident response timelines, and the "best available techniques" standard required by the NIS2 Directive. Securance's Single Audit, Multiple Standards approach helps SaaS and tech firms streamline this process, ensuring one methodology satisfies multiple compliance frameworks.

2. Define scope and identify critical information assets

NIS2 broadens the scope of risk assessment beyond traditional IT systems to include operational technology (OT), supply chains, and services provided to direct customers. Start by mapping all information assets within your ISMS scope:

• Data assets: Customer data, intellectual property, financial records, employee information
• Systems and applications: Cloud platforms, SaaS tools, on-premises servers, APIs
• Infrastructure: Network devices, endpoints, mobile devices, IoT and OT systems
• People: Key personnel, third-party contractors, and service providers
• Physical locations: Data centres, offices, and any locations housing critical infrastructure

For each asset, document its value to the business, classification level (confidential, internal, public), and dependencies. NIS2 requires organisations to assess risks not just to their own systems but also to the security of services they provide, particularly relevant for SaaS providers and technology companies operating in essential sectors.

3. Identify threats, vulnerabilities, and compliance obligations

With your asset inventory complete, systematically identify the threats and vulnerabilities that could compromise confidentiality, integrity, or availability. Consider both ISO 27001's information security focus and NIS2's emphasis on operational resilience.

Common threat categories include:

• Cyber threats: Ransomware, phishing, denial-of-service attacks, malicious insiders
• Physical threats: Natural disasters, power failures, physical intrusion
• Supply chain risks: Vendor breaches, third-party software vulnerabilities, service interruptions
• Compliance and legal risks: Data protection violations, failure to report incidents within NIS2's 24-hour early warning window

For each asset, map the specific vulnerabilities that could be exploited, outdated software, weak access controls, lack of encryption, insufficient backup procedures. NIS2's technical measures (multi-factor authentication, encryption, cyber hygiene training) directly address many of these vulnerabilities and should be integrated into your vulnerability management process.

4. Analyze and prioritize risks using a consistent scoring matrix

Risk analysis is where ISO 27001's structured methodology shines. For each identified risk, evaluate two dimensions:

• Likelihood: How probable is this threat, given current controls? (Scale: 1–5 or Low/Medium/High)
• Impact: What would be the consequence if this risk materialised? Consider financial loss, operational disruption, regulatory penalties, and reputational damage (Scale: 1–5 or Low/Medium/High)

Calculate the overall risk level by multiplying (or mapping) likelihood and impact to produce a risk score. Plot these on a risk matrix or heatmap to visualise priority areas. High-impact, high-likelihood risks demand immediate treatment; low-impact, low-likelihood risks may be accepted.

NIS2 introduces stricter expectations around board accountability and "all-hazards" risk management. Ensure your analysis reflects emerging threats, supply chain dependencies, and operational continuity, not just historical vulnerabilities. Document your rationale for each score to provide auditable evidence during ISO 27001 certification or NIS2 regulatory inspections.

5. Evaluate Risks and Develop a Risk Treatment Plan

Once risks are analysed and scored, they must be formally evaluated against your organisation’s risk acceptance criteria.

For each risk, determine whether to:

• Treat (implement controls)
• Transfer (e.g., insurance or contractual shift)
• Avoid (discontinue the activity)
• Accept (formally approve residual risk)

Document these decisions in a Risk Treatment Plan (RTP) that outlines:

• Selected controls
• Responsible owners
• Implementation timelines
• Expected residual risk

ISO 27001 requires management approval of residual risks, and NIS2 emphasises accountability at board level. This decision-making step ensures that risk analysis translates into accountable governance action.

6. Implement controls and produce auditable documentation

With your RTP approved, implement the selected controls and maintain rigorous documentation. ISO 27001 and NIS2 both demand evidence that your risk assessment process is repeatable, that controls are functioning as intended, and that residual risks are known and accepted.

Essential documentation includes:

• Risk Register: A living document listing all identified risks, their scores, treatment decisions, owners, and status
• Statement of Applicability (SoA): Justification for each ISO 27001 Annex A control (implemented, not applicable, or planned)
• Risk Treatment Plan: Timeline, owners, and implementation evidence for each treatment action
• Incident Response Procedures: Documented workflows for detecting, responding to, and reporting incidents within NIS2's 24-hour notification window
• Management Approvals: Formal records showing that top management has reviewed, approved, and taken ownership of cybersecurity risks

As you implement controls, maintain a clear audit trail. NIS2 regulators and ISO 27001 auditors will request evidence that your documented methodology was followed, risks were assessed, and controls were deployed. Organisations working with Securance benefit from integrated advisory and assurance services that ensure documentation meets both ISO 27001 and NIS2 standards from day one.

7. Monitor, review, and continuously improve your risk assessment process

ISO 27001 requires regular reviews and updates, while NIS2 emphasises continuous monitoring and incident-based reassessment. Establish a schedule for:

• Annual risk reviews: Revisit your risk register, update threat intelligence, and reassess residual risks
• Event-driven assessments: Conduct ad-hoc reviews after security incidents, significant business changes, new regulatory guidance, or supply chain disruptions
• Control effectiveness testing: Validate that implemented controls are working as intended through internal audits, penetration testing, and vulnerability scanning
• Board-level reporting: Provide regular cybersecurity risk updates to management, as required by NIS2's accountability provisions

Track key performance indicators (KPIs) such as the number of open high-priority risks, time to remediate vulnerabilities, and incident response times. Continuous improvement ensures your ISMS remains effective, your compliance posture is defensible, and your organisation can respond rapidly to emerging threats.

Performing a cybersecurity risk assessment aligned with ISO 27001 and NIS2 is a strategic investment in resilience, trust, and operational excellence. By following these seven steps, organisations can satisfy both frameworks in a single, efficient process, reducing audit burden and strengthening security outcomes.

For SaaS and tech companies navigating the European compliance landscape, aligning risk assessment with ISO 27001 and NIS2 creates a unified governance framework that supports SOC 2 compliance, data protection obligations, and customer assurance requirements.