The 5x5 risk matrix survives audits, not scrutiny
ISO 27001 never asks for a heat map. What it does ask for (consistent, valid and comparable results) is the test most risk matrices fail.

Ask an implementation team why their ISO 27001 risk assessment is a five-by-five grid of greens, ambers and reds, and the answer, in our experience, is usually some version of "that is what the auditor expects." Both halves of that sentence deserve more scrutiny than they get. Nothing in the standard's risk clauses asks for a matrix, and the matrix is a poor way to meet what those clauses do ask for. The grid persists because it is legible in a document review, not because it is good at describing risk, and treating those as the same property is, we would argue, the quiet methodology mistake inside many certified ISMSs.
What clause 6.1.2 actually requires
ISO/IEC 27001:2022 (third edition, published 2022-10-25; the climate-action amendment Amd 1:2024, published 2024-02-23, does not alter clause 6.1.2) spends one clause, 6.1.2, on the risk assessment process. It requires the organization to define and apply a process that establishes risk criteria, including risk acceptance criteria; that ensures repeated assessments "produce consistent, valid and comparable results"; and that identifies risks, analyses them by assessing consequences and likelihood to determine levels of risk, and evaluates them against the criteria (ISO/IEC 27001:2022, clause 6.1.2).
Notice what clause 6.1.2 does not specify. No matrix. No heat map. No five-point scale, no "likelihood times impact," no color scheme. Even "levels of risk," the phrase teams most often read as a license for ordinal buckets, does not say how those levels are to be expressed. The supporting guidance standard, ISO/IEC 27005:2022 (fourth edition, published 2022-10-25), accommodates both qualitative and quantitative approaches, and its consequence and likelihood scales and matrix examples sit in Annex A, an informative annex of example techniques. It is guidance; it mandates nothing.
So, for the outputs of whatever method you choose, the certifiable text asks for three properties: consistency, validity, comparability. The standard does not define those words, so what follows is our argument, made against their plain meaning: the reasonable next question is how the default method scores on each, and the answer has been in the peer-reviewed literature for the better part of two decades.
The matrix against the standard's own three words
The most cited examination of the method is Tony Cox's "What's Wrong with Risk Matrices?" (Risk Analysis, vol. 28, no. 2, April 2008), and its findings map uncomfortably well onto the three words in clause 6.1.2.
Comparable. Cox showed that risk matrices have limited resolution: typically they can correctly and unambiguously compare only a small fraction of randomly selected pairs of hazards, and they can assign identical ratings to quantitatively very different risks. Two risks an order of magnitude apart in expected loss routinely land in the same "high" cell. A method whose output cannot distinguish them is not producing comparable results; it is producing a shared label that conceals the comparison you needed.
Valid. The same paper showed matrices can do worse than fail to discriminate: they can mistakenly assign the higher qualitative rating to the quantitatively smaller risk, and under realistic conditions, such as frequency and severity being negatively correlated, matrix-guided prioritization can perform worse than random. Validity means the method's outputs track the thing being measured. A method that can invert the ranking of two risks does not.
Consistent. Ordinal labels feel objective because everyone in the room uses the same words. The evidence is that the words do not carry the same numbers between heads. When researchers tested how readers interpret the IPCC's calibrated uncertainty language, the assigned probabilities varied widely and frequently fell outside the ranges the terms were defined to mean (Budescu, Broomell and Por, "Improving communication of uncertainty in the reports of the Intergovernmental Panel on Climate Change," Psychological Science, vol. 20, no. 3, pp. 299-308, 2009). "Likely" on your scale is doing the same thing: two competent assessors, the same risk, different cells, and the process has no way to notice, because the disagreement is hidden inside the shared label.
Put together, this is an awkward inversion. The method teams choose because it feels audit-safe is the method hardest to defend against a literal reading of the clause it is supposed to satisfy. In our experience it rarely draws a finding, and that is precisely the point: the matrix is optimized for recognizability in a document review, not for the decision the document exists to support.
Why it survives anyway
It would be too easy to call this laziness. The matrix survives because it does real work, just not the work of measuring risk. It is cheap to produce. It compresses disagreement, which lets a risk workshop end on time: two people who would argue for an hour about whether a likelihood is 5 percent or 25 percent will both accept "medium." It gives management a one-page picture. And it is familiar to any reviewer who has seen a hundred of them, which, we suspect, is much of what practitioners actually mean by "the auditor expects it."
Those are social benefits, and they are genuine. The mistake is booking them as analytical benefits. The compression that ends the workshop early is the same compression that erases the information clause 6.1.2 asks you to preserve. When the matrix is the analysis rather than a summary of it, the risk register becomes a record of which arguments were avoided.
On the audit fear specifically: in our reading, the certification audit assesses conformity with the standard and with the process you yourself documented. Nothing in the certifiable text names a technique, so if a matrix is expected anywhere, that expectation comes from convention or from your own documented method, not from ISO/IEC 27001 itself. What an auditor can fairly press on is whether your criteria are defined, whether your method is applied as documented, and whether repeated runs are comparable. Those questions are method-agnostic, and a better method answers them more convincingly, not less.
The actual decision
Framed honestly, a team picking a risk methodology under ISO 27001 is choosing between three positions.
The first is to keep the matrix and shore it up: anchor every label to an explicit quantitative range, define consequence in money or downtime rather than adjectives, and accept the documented pathologies as the price of legibility. This is defensible, but only if the anchoring is real. A matrix whose "likely" is tied to a stated numeric range is a different instrument from one whose "likely" means whatever the room felt that day.
The second is full quantification in the style of FAIR, the factor-analysis approach published by The Open Group as the Open FAIR standards: distributions, simulation, loss exceedance curves. For many small and mid-size organizations this is, in our view, more machinery than their decisions require, and the calibration and modelling skills it assumes are, in our experience, rarely available in-house. Adopting it badly reproduces the false-precision problem with more decimal places.
The third position, and the one we would argue for, is the unglamorous middle: state risk acceptance criteria in operational terms (money, downtime, records exposed), estimate likelihood and impact as calibrated ranges rather than ordinal points, and keep the colored grid, if you keep it at all, strictly as a presentation layer over analysis that happened elsewhere. This satisfies the three words of 6.1.2 more literally than the default does, costs far less than full quantification, and changes nothing about what the auditor sees except that the numbers behind the picture now exist.
One honest caveat belongs to any switch: clause 6.1.2 asks that repeated assessments be comparable, and a mid-cycle methodology change costs you year-on-year comparability. Change at a natural boundary and record why. That is a transition cost to manage, not a reason to keep a method you no longer believe in.
The rule worth keeping
If the strongest argument for your risk method is that it looks like everyone else's, you have learned something about audits and nothing about your risks. ISO 27001 is more permissive, and more demanding, than the default it is blamed for: its risk clause never asks for the grid, and it does ask for consistency, validity and comparability, which are exactly the properties the grid is documented to lack. Teams that read the clause instead of copying the artifact end up with a method they can defend in both rooms, the audit and the incident review.
Working out what a clause actually requires, as opposed to what the template ecosystem has decided it requires, is much of the daily work of building an ISMS, and it is the kind of question ISMS Copilot is built to answer with the standard's own text. The matrix is optional. The three words are not.
Related Posts

The AI Act high-risk delay is not a reprieve
The EU agreed to push the high-risk deadlines to December 2027 and August 2028. The reason it moved should change how you read it: this is a warning about your scope, not breathing room for your roadmap.

AI for GDPR: Automating Cross-Border Data Transfers
Automate mapping, monitoring, and documentation of EU cross-border data transfers with AI—legal teams retain final decisions.

Best Practices for Cross-Framework Audit Prep
Centralize controls, map overlapping requirements, and automate evidence to reduce audit time and costs across multiple compliance frameworks.
