Your first ISO 27001 audit is scheduled for June 2026, and your risk assessment is still a spreadsheet of vaguely worded threats and unchecked boxes. You are not alone. The problem is not that you lack a risk register — it is that your register does not survive five minutes of auditor scrutiny. UK financial firms, from PSD2 payment initiators to FCA-regulated brokers, are discovering that the ISMS standard’s risk assessment methodology is the single biggest reason certification fails at Stage 2. The auditor does not care that you have a list. They care that you have a defensible, repeatable, and documented decision-making process.
This post lays out exactly how to build an ISO 27001 risk assessment that passes Stage 1 review and Stage 2 verification — specifically for UK finance entities — using real methodology, not template fluff. We cover the three critical steps: selecting a compliant method, building a risk register that demonstrates control ownership, and producing a risk treatment plan that satisfies certification bodies. By June 2026, your ISMS must show that risk is managed, not just recorded.
1. Why ISO 27001 Risk Assessment Fails in UK Finance — The Audit Reality
Certification bodies such as BSI, LRQA, and DNV report that risk assessment documentation is the top non-conformity area for first-time ISO 27001 candidates across the UK financial services sector. The root cause is not incompetence. It is confusion between compliance risk (FCA handbook violations) and information security risk (confidentiality, integrity, availability). Your auditor does not want a risk list that mirrors your FCAPRA documentation. They want a method that can be traced from asset identification to residual risk acceptance — and that method must be repeatable by any competent team member.
UK finance entities operate under additional pressure: the FCA’s operational resilience framework (PS21/3) demands that critical business services withstand severe but plausible scenarios. Your ISO 27001 risk assessment must align with those scenarios. If your risk register does not reference your impact tolerances, you are building two separate risk languages that will collide during examination. The June 2026 audit window means you have approximately 18 weeks to resolve these gaps before submission.
2. Step One: Select a Defensible Risk Assessment Methodology
ISO 27001 does not mandate a specific risk assessment methodology. Clause 6.1.3 requires the organisation to “define and apply an information security risk assessment process.” That process must produce comparable and reproducible results. For UK finance, three methodologies are audit-proven: the ISO 27005 method, the UK NCSC’s risk management approach (which maps to HMG IA and CESG patterns), and the OCTAVE Allegro framework for SMEs. We recommend the ISO 27005 methodology for regulated firms because it maps directly to the seven-part treatment process auditors expect.
Methodology Requirements You Must Document
Your documentation must explicitly state: the method used (name and version), the risk acceptance criteria (e.g., “residual risk below 12 on a 25-point scale”), and the scales for likelihood and impact (ordinal, with definitions). If your risk matrix uses ratings of 1-5 but you cannot define what a “3” means in business terms, the auditor will flag it. Example: likelihood level 3 = “will occur once every 2-3 years based on industry loss events from the UK Cyber Security Breaches Survey 2024.”
Key trap: mixing qualitative and quantitative scales without explanation. If you use annualised loss expectancy (ALE) for financial assets and qualitative high/medium/low for reputational assets, document the rationale. Otherwise, the auditor treats it as incoherent. Our ISO 27001 certification consultants have seen this single error cause Stage 2 referral in three consecutive audits.
3. Step Two: Build an Information Security Risk Register That Works Under Scrutiny
The information security risk register is not a list of vulnerabilities from a Nessus scan. It is a living document that maps threats to assets, controls, and business impact. Each entry must contain: unique ID, asset reference (from your asset inventory), threat source (e.g., “external adversary — disgruntled ex-employee with privileged access”), vulnerability description, inherent risk rating (likelihood × impact), existing controls (specific, not generic like “firewall”), residual risk rating, and treatment decision (risk reduction, retention, avoidance, or transfer).
For UK finance, the asset inventory must include cloud services, SaaS tools, and third-party data processors. The FCA’s Operational Resilience rules require you to know which third parties support critical services. If your risk register only covers on-premise servers, you are missing the majority of your attack surface. The auditor will request evidence of third-party risk assessments, and your register must show that each supplier’s risks feed into your own. This is where the ISO 27001 risk assessment methodology becomes practical: you must define a consistent method for assigning threat actors to supplier relationships.
Common Risk Register Errors That Trigger Non-Conformities
- Vague asset descriptions: “Customer database” is not enough. Specify the server hostname, database instance, and data classification (e.g., “SQL-UK-FIN-01, holding PII and payment card data, classified as Restricted”).
- Missing control evidence: “Firewall” is a category, not a control. State the config rule, the last review date, and the patch version. Use the table from Annex A as a checklist, not a crib sheet.
- No residual risk acceptance: Every risk escalated to “risk reduction” must show a target residual rating. Without it, the auditor cannot verify that your treatment plan reduces risk to an acceptable level per your stated criteria.
- Unlinked risk owners: Each risk must have a named owner with authority to implement controls. A junior IT staff member cannot own “data breach from ransomware.” It must be the data protection officer or CISO — someone who can approve budget and changes.
4. Step Three: The Risk Treatment Plan Template That Passes Stage 2
A risk treatment plan template is not the same as the risk register. The treatment plan is the forward-looking document that specifies what you will do about each risk, by when, and at what cost. The auditor will check that every risk marked “reduce” has a treatment that maps to specific controls from Annex A or custom controls with a documented rationale. The template must include: risk ID, current residual risk rating, target residual risk rating, control description, implementation owner, budget allocation, start date, review date, and status (planned, in progress, completed, overdue).
For UK finance, the treatment plan must also account for FCA regulatory timelines. If your target residual risk rating for a “failure of payment infrastructure” is not achieved by Q2 2026, and your service impact tolerance is breached, you have a regulatory exposure that the FCA will not ignore. The ISO 27001 auditor may not report to the FCA, but your Stage 2 report will be viewed by your board as compliance evidence. Use the treatment plan as the bridge between ISMS and operational resilience.
Building a Treatment Plan That Auditors Trust
Start with the high-severity risks (inherent rating 16+ on a 25-point scale) and produce one plan per risk. Do not group multiple risks into one row — auditors see that as a lack of granularity. For each control, cite the specific Annex A control number (e.g., A.9.1.2 for access management). If you add a custom control, document why Annex A does not cover it. The UK NCSC’s Risk Management and Incident Management guidance provides use-case examples for custom controls in the finance sector.
Set realistic dates. If your June 2026 audit is the target, your risk treatment plan must have all reduction measures completed by April 2026 to allow a “go live” period. The auditor wants to see that controls have been operating for a minimum of 3-6 months before the Stage 2 audit. A plan that lists completion dates of June 2026 itself will result in a non-conformity for unverified control effectiveness.
5. The Worked Example: A UK Payment Firm’s Risk Assessment
Consider AlphaPay Ltd, a UK-based PSD2 payment initiation service provider (AISP) with 50 employees and cloud infrastructure on AWS London. Their risk assessment methodology: ISO 27005 with a 5×5 matrix (likelihood 1-5, impact 1-5). Risk acceptance criteria: residual risk ≤ 10. Asset: card data processing pipeline (AWS EC2 + RDS + CloudFront). Threat: SQL injection via API endpoint. Inherent rating: likelihood 4, impact 5 = 20. Existing controls: AWS WAF (web application firewall) with rule set version 2024-12-01, penetration testing performed 2025-08 by CREST-approved provider. Residual rating after WAF: likelihood 2 (WAF rules reduce likelihood but not to zero), impact 5 = 10. Residual risk ≤ 10 = accepted. Treatment decision: retention (risk accepted by CISO). Documentation evidence: WAF config logs, pen test report, CISO acceptance email dated 2025-09-15.
Now contrast with a typical failure: the firm’s risk register lists “SQL injection — high” without asset ID, no control evidence, and no acceptance date. The auditor escalates because there is no basis to determine if the residual risk is tolerable. The difference is the documentation of a defensible decision. Every row in your register must be as rigorous as the AlphaPay example.
6. Common Mistakes That Cause Stage 2 Non-Conformities
- Treating the risk assessment as a one-off exercise. ISO 27001 requires periodic re-assessment (at least annually) and on triggering events (e.g., after a security incident, a major infrastructure change, or a new regulation). UK finance firms that change payment gateways or add new SaaS tools mid-cycle must update the register within 30 days.
- Ignoring legal and regulatory risks. The FCA’s Consumer Duty and Operational Resilience are not optional overlays. Your risk register must include a risk titled “non-compliance with FCA Consumer Duty obligations related to information security” with a treatment plan that maps to PS21/3 timelines.
- Using third-party risk register templates without customisation. A template from a general IT forum will not reflect UK finance data protection laws. Ensure your register references UK GDPR (ICR enforcement powers, DPA 2018 parts 2-4), the Cyber Security and Resilience Bill (in Parliament, expected enactment 2026), and the NIS Regulations 2018 if you are a digital service provider.
- Failing to link to the CloudAuditX evidence trail. If your risk register cites cloud controls (encryption at rest, network segmentation), you need evidence that those controls are active. CloudAuditX provides automated evidence collection for multi-cloud environments, directly populating your register with verifiable control status.
7. How Pyralink Innovation Ltd Prepares UK Finance Firms for the June 2026 Audit
We are Pyralink Innovation Ltd, a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). Our team has built and audited ISO 27001 ISMS for payment firms, credit unions, and FCA-regulated asset managers. We do not hand you a template and walk away. We run a structured workshop to define your risk assessment methodology, build your information security risk register with ownership mapping, and produce a risk treatment plan template that the certification body will accept without haggling.
Our approach includes: hands-on configuration of CloudAuditX for automated control evidence, integration of UK finance-specific regulatory requirements (FCA Operational Resilience, UK GDPR, NIS fit for purpose), and a dry-run Stage 1 mock audit to catch gaps before the real assessment. We carry £5M professional indemnity insurance because our clients expect institutional-grade work, not startup fluff. We also offer fractional vCISO support for firms that need ongoing risk management oversight but do not have a full-time equivalent.
Whether you are three months from your June 2026 audit or already flagging non-conformities, we can get you ready. Start with a free scan to see your current compliance posture, then book a review to discuss your risk register’s specific weaknesses.