
July 1, 2026
Hacker Hub - July 2026
Supply chain attacks are one of the fastest growing cyber threats. SMEs are frequently the entry point attackers use to reach larger targets. Here is what you need to know and what to do about it.
Read MoreRisk management is a key component of ISO27001, covered under requirements 6 and 8 and featured in the ANNEX A controls. Risk forms the basis of ANNEX A controls decisions, and the ANNEX A controls form should be reviewed for alignment with risk treatment decisions.
I suppose we should introduce the ISO27001 standard.
ISO27001 is a globally recognised international standard for managing information security. It provides a framework for implementing and maintaining an effective Information Security Management System (ISMS) designed to protect an organisation's information assets' confidentiality, integrity, and availability.
If you want to know more, check out our "What is ISO27001" article.
Risk management is fundamental to ISO27001, and you have the following expectations from the standard's requirements
Risk is also mentioned in controls within ANNEX A when assessing Supplier Relationships, including the ICT supply chain, as well as screening employees.
The concepts of risk management in ISO 27001 are aligned with the ISO 31000 standard which is a general risk management guidelines document, this is a relatively simple standard and a good method to follow with ISO27001, although I would generally recommend adopting ISO 27005 which is focused on information security risk management which is fundamentally the focus of ISO 27001. It also has a more expectations in the risk assessment process.
A bit of a blend is probably best for most businesses. A process that meets your needs still needs to be defined.
Here, I will cover some of the key components of risk management for ISO 27001, but if you want a deeper understanding, read our "What is Risk Management" article.

July 1, 2026
Supply chain attacks are one of the fastest growing cyber threats. SMEs are frequently the entry point attackers use to reach larger targets. Here is what you need to know and what to do about it.
Read More
June 1, 2026
Five of the most common cyber threats targeting small and medium-sized businesses today, explained in plain English with practical steps you can act on right now.
Read More
June 1, 2026
AI tools are now accessible to attackers and defenders alike. Anthropic's Mythos model proves the game has changed. Here's what that means for your business.
Read More