ISO 27001 certification applies to your ISMS, not to a vendor’s product. ISMSVision is tooling that helps you run repeatable processes and retain evidence; your notified body decides conformity.
The standard’s risk clauses ask for a coherent story: identify and assess risk, treat it with chosen controls, record decisions, operate and monitor, then improve when things change. ISMSVision’s Risk Management module mirrors that story in software—register, assess, link controls, show residual position, track findings, and configure the taxonomy your auditors expect.
Mapping at a glance
| ISO theme (high level) | How ISMSVision helps |
|---|---|
| Risk assessment process (identify, analyse, evaluate) | Risk register with structured fields, risk types and sources, configurable risk matrix (likelihood × impact to inherent bands or enterprise scoring), and ownership tabs so risk owners are explicit. |
| Risk treatment & residual risk | Link risks to controls from the control library; capture inherent vs residual ratings, treatment decisions, and evidence-oriented tabs on each risk record. |
| Statement of Applicability | Dedicated Statement of Applicability workspace summarises applicability of controls from your library—supporting the SoA narrative alongside the register. See how ISMSVision helps with the SoA. |
| Non-conformities & corrective action | Non-conformities tab with configurable statuses and sources; connect findings to the control context your process uses. |
| Continual improvement | Improvement opportunities tab keeps OFIs visible; overview metrics highlight high residual risk, missing assessments, and effectiveness gaps. |
| Documented information & traceability | Activity-style history on risk records; optional references to service desk tickets in risk source context where your tenant links incidents or requests to risk scenarios. |
Configuration = your methodology, not ours
ISO expects your criteria to be defined and applied consistently. ISMSVision exposes configuration for risk types, lifecycle statuses, identification sources, common threat phrases, the risk matrix, control categories/status/effectiveness/monitoring cadence, and non-conformity workflow labels—so the app reflects your methodology rather than forcing a single proprietary scale.
Automation where it helps
Risk-specific workflows (built with the same visual designer as service management, scoped to risk management) and notification templates for risk, NC, OFI, and control events help you operationalise review and approval steps without losing the audit trail.
For a feature walk-through, continue with managing risks in ISMSVision (detailed guide). For ISO vocabulary alone, see ISO 27001 risk requirements.
See the module on the product page
Risk Management is one module in the ISMSVision suite—combine with Document Management for policy evidence and Service Management for incident linkage.
Risk Management