ISMS Copilot
ISMS Copilot

ISO 27001 risk assessment with ISMS Copilot

Run a clause 6.1.2 risk assessment that flows into risk treatment and a justified Statement of Applicability.

Start Free TrialSee it in action

Clause 6.1.2 risk assessment to SoA

ISO 27001 certification turns on a defensible chain: clause 6.1.2 (information security risk assessment), clause 6.1.3 (risk treatment), and the Statement of Applicability that justifies every Annex A control you include or exclude. ISMS Copilot helps you define and apply a consistent clause 6.1.2 methodology — risk criteria, risk identification, analysis, and evaluation against acceptance criteria — then carries each evaluated risk into clause 6.1.3, where you choose to treat, accept, avoid, or share it and select the necessary controls. Because Annex A:2022 is a reference set of 93 controls, the selection must trace back to identified risks; ISMS Copilot makes that traceability explicit so the SoA inclusion and exclusion justifications survive auditor scrutiny. It also produces the risk treatment plan and residual-risk acceptance records clause 6.1.3 requires.

ISO 27001 framework details →

Why teams use ISMS Copilot for ISO 27001 risk assessment

  • Apply a consistent, repeatable clause 6.1.2 risk methodology auditors accept
  • Carry each risk into clause 6.1.3 treatment with explicit treatment decisions
  • Drive Annex A:2022 control selection from identified risks, not a checklist
  • Produce a justified Statement of Applicability and residual-risk acceptance records

Free risk register starter

Need somewhere to record the risks the clause 6.1.2 assessment surfaces? The free Risk Register Starter is a configurable 5×5 likelihood×impact register with optional residual scoring — a working template to operationalise the methodology above, not a prescribed method.

Open the free Risk Register Starter →

Frequently Asked Questions

Does it support asset-based and scenario-based risk methods?

Yes. ISMS Copilot helps you apply whichever clause 6.1.2 approach fits your organization — asset-threat-vulnerability or scenario-based — as long as it is consistent and repeatable, which is what the standard requires.

How does the risk assessment connect to the SoA?

Every Annex A:2022 control inclusion or exclusion in the Statement of Applicability traces back to a clause 6.1.2 risk and a clause 6.1.3 treatment decision. ISMS Copilot keeps that traceability explicit so the SoA is defensible.

Does it generate the risk treatment plan?

Yes. From the evaluated risks, ISMS Copilot drafts the clause 6.1.3 risk treatment plan and the residual-risk acceptance records you need before the certification audit.

Ready to streamline your compliance work?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0