How to Run an ISO 27001 Risk Assessment Engineers Respect
Most risk assessments are theatre that engineers ignore. Here is how to run one that reflects real threats and actually changes what your team builds.
By Kellwick Team · July 8, 2026 · 5 min read
Ask most engineers what they think of the company risk assessment and you will get a shrug. To them it is a spreadsheet someone in compliance fills in once a year, full of vague entries scored one to five, with no connection to the systems they actually build. That reaction is fair, and it is a problem worth fixing, because a risk assessment that engineers ignore is a risk assessment that does not work.
Why the usual approach loses the room
The standard failure mode looks like this. Someone opens a template listing generic threats: "unauthorised access," "data loss," "malware." Each gets a likelihood and impact score plucked from the air. The totals are colour-coded. The document is filed and never opened again until the next audit.
Engineers dismiss it for good reasons. The entries do not map to real components. The scores have no basis they can interrogate. Nothing in the assessment predicts or prevents the incidents they actually worry about. It reads as an exercise performed for an auditor, not a tool for making the system safer.
ISO 27001 does not require any of this. The standard asks you to identify risks to the confidentiality, integrity and availability of information, assess them, and decide what to do. It is deliberately open about method. That openness is an opportunity: you can build an assessment grounded in your real architecture rather than a generic list.
Start from the system, not the template
The single most effective change is to anchor the assessment in your actual systems and data flows.
Sit down with the people who operate the platform and map it: the services, the data stores, the trust boundaries, the third parties, the paths customer data takes through it all. You do not need a perfect diagram. You need a shared picture of where sensitive data lives, how it moves, and who can reach it.
From that picture, risks become concrete. Instead of "unauthorised access to data," you get "a compromised CI token could read production database credentials from the pipeline." Instead of "data loss," you get "our primary datastore has no tested restore path, so a corrupting migration could lose a day of customer data." Engineers engage with these because they are true, specific, and clearly about systems they own.
This is also how you find the risks that generic templates miss entirely. The interesting risks in a SaaS company usually live in the seams: the deploy pipeline, the internal admin tools, the shared service accounts, the third party with broad API access. None of those appear on a standard threat list.
Score in a way people can argue with
Numbers people cannot reason about get ignored. So make the scoring legible.
Rather than an abstract one-to-five likelihood, describe the conditions. Is there a known path an attacker or an accident could take? Do existing controls block it, slow it, or miss it entirely? Has something like it happened here or at similar companies? Ground the likelihood in evidence and reasoning that someone can challenge.
For impact, tie it to things the business already measures: customer data exposed, hours of downtime, revenue at risk, regulatory exposure, contractual penalties. When impact is expressed in terms leadership and engineers both recognise, the prioritisation that follows is defensible.
You do not need elaborate mathematics. A simple, consistent scale is fine, as long as every score has a stated rationale. The goal is not precision to two decimal places. The goal is that two reasonable people looking at the same risk would land in roughly the same place, and could explain why.
Treatment decisions are the actual point
A risk assessment exists to drive decisions. For each significant risk you have four honest options:
- Mitigate by adding or strengthening a control
- Accept the risk deliberately, with a named owner and a documented reason
- Transfer part of it, for example through insurance or a contractual term
- Avoid it by changing what you do
Engineers respect this because it mirrors how they already make trade-offs. Not every risk gets fixed. Some are accepted with eyes open because the cost of mitigation outweighs the exposure. Writing that down, with an owner and a rationale, is a legitimate and mature outcome. It is far better than a vague plan to "improve security" that nobody owns.
Where you choose to mitigate, connect the treatment to real work: a ticket, an owner, a target date. When a risk on the assessment turns into a tracked engineering task, the assessment stops being a separate artefact and becomes part of how the team plans. That is the moment it earns respect.
Keep it alive between audits
A risk assessment reviewed once a year is already stale by the time anyone looks at it. Systems change weekly. New services, new integrations and new data flows each carry new risk.
Tie reviews to events that already happen. A significant architecture change, a new third party handling customer data, a security incident, or entry into a new market are all natural triggers to revisit the relevant risks. Lightweight and frequent beats exhaustive and annual.
It also helps to let engineers raise risks directly. If someone building a feature spots a real exposure, there should be an obvious, low-friction way to log it. When the assessment absorbs risks the team surfaces on its own, it becomes a shared record of what the organisation actually worries about, rather than a document owned by one function.
Bottom line
A risk assessment engineers respect is grounded in real systems, scored in terms people can challenge, and resolved through decisions that turn into tracked work. Do that, and it stops being audit theatre and starts being a genuine tool for building safer software, one that also happens to satisfy ISO 27001 cleanly. If your current assessment feels like a spreadsheet nobody reads, a Kellwick readiness review can help you rebuild it around your architecture so that both your engineers and your auditor take it seriously.
Need a second pair of eyes before the auditor does?
A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.