Risk Management in the ISMS: Evaluation, Treatment, Residual Risk – Without Excel Hell

Risk management is the discipline most ISMS projects break on – not because the concept is hard, but because the methodology gets tangled in Excel sheets, treatment decisions can't be tracked anywhere, and residual risk acceptance by top management is a PowerPoint slide instead of a logged decision.

The ISO 27005 Methodology in Four Steps

1. Identification: threats, vulnerabilities, asset combinations.
2. Analysis: likelihood + impact = risk score.
3. Evaluation: comparison with risk acceptance criteria.
4. Treatment: avoid, mitigate, transfer, accept.

Sounds linear, never is. In reality you iterate between steps – and that's exactly where Excel fails.

What Integrated Risk Management Delivers

• Risk inventory per asset: every asset gets a risk matrix with relevant threat scenarios (backed by the BSI threat catalog).
• Evaluation with methodology enforcement: likelihood and impact are rated on a stored scale (e.g. 5×5), with required justification. "Gut feeling" is thereby explicitly marked as "qualitative evaluation".
• Treatment decision with owner: per risk a treatment plan with measures, owner, deadline. Status tracking included.
• Residual risk computation: after measure implementation, the residual risk is shown – with documented acceptance by top management (digital signature via eIDAS signatures).
• Audit trail: every risk status change, every acceptance decision is stored with identity and timestamp.

Why "AI Evaluates the Risk" Doesn't Work Here

There's a noisy market in 2026 for "AI-supported risk evaluation". We use AI in several places, but risk scoring deliberately not. Three reasons:

1. Acceptance responsibility sits legally and ethically with top management – an LLM can't take that responsibility.
2. Context dependence: the same technical risk has different impact in a regulated environment than in a non-regulated one. LLM doesn't know this context sufficiently.
3. Reproducibility: the same risk has to be evaluated the same today, tomorrow, and next year – LLM outputs fluctuate.

Where AI helps: pre-filling threat lists per asset (typical threats for DB servers, web apps, endpoints), suggesting measure templates, generating risk descriptions for reports.

Top-3 Pain Points – And How We Address Them

1. "We Have 200 Risks in Excel and Nobody Looks at It Anymore"

Solution: bulk import from Excel with mapping wizard, then owner assignment with reminder mails. Filter by severity, status, owner – instead of scrolling 200-row Excel.

2. "We Don't Know If the Risk Is Really Smaller After the Measures"

Solution: residual risk computation with transparent formula (risk before measures × effectiveness of measures = residual risk). Effectiveness is checked in the reviews of the measures.

3. "Top Management Never Officially Accepted the Residual Risk"

Solution: digital acceptance workflow with eIDAS-compliant signature. Audit trail has the evidence, no "mail chain proof" drama at the audit.

Integration with Other Modules

• Asset management: risks hang on assets, asset criticality flows into risk evaluation.
• Action plan: treatment decisions create tasks in action tracking.
• Review cycle: risks are re-evaluated at least annually.
• BCDR: critical risks automatically trigger BCDR plan creation.
• Audit export: risk report with treatment plan and residual risk acceptance ready for the ISO 27001 auditor.

Conclusion

Risk management is not a tooling problem but a question of methodological discipline and traceable documentation. SecTepe.Core delivers the tooling that enforces the methodology – turning "we did a risk assessment two years ago" into a continuous, auditable discipline. Top management gets a real decision basis, the auditor gets a complete file.