It’s not straight forward to pin it down to a number to be honest. 

If your ISO lead auditor asks you to justify the threshold you applied, will you be able to answer it meaningfully? From an auditor’s perspective, if you cannot provide a logical response - that’s a red flag. Why?

The score that you determine underpins the effectiveness of your Information Security Management System (ISMS). Choosing a high risk threshold means your organisation will be accepting risks that actually spell disaster if they materialise. And choosing a low risk threshold means that you’re going to waste your organisation’s resources to address risks that you can overcome if they do materialise.

This article explores why risk appetite is a strategic pillar of ISO 27001, how to define it practically, and how refer to tools like FMEA scoring, which can help you visualize and determine your true risk threshold.

Risk Appetite vs. Risk Treatment: The Critical Link

ISO/IEC 27001:2022 underscores the need for a structured, risk-based approach. Under Clause 6.1.2 (Risk Assessment) and 6.1.3 (Risk Treatment), organizations must assess and treat risks systematically.

If your ISMS accepts, treats, or transfers risks without a well thought out process that defined a threshold, you're missing a core part of the Risk Assessment exercise. 

FMEA as a Tool That Helps You Define Risk 

The Failure Modes and Effects Analysis (FMEA) approach is widely used in engineering and manufacturing but is a mechanism that can be borrowed in areas such as Information Security Risk Assessment.

With FMEA, each risk is scored based on three dimensions:

• Severity – How serious is the impact if the risk materializes?
• Occurrence – How likely is it to happen?
• Detection – How likely is it that the risk will be detected - before impact?

A score of 1 to 10 is applied to all 3 metrics above (where 1 indicates a low contribution to the outcome of risk and 10 indicates the opposite). After scoring, you then calculate the Risk Priority Number (RPN) by multiplying the mentioned 3 metrics
 

How does the Risk Threshold come into the picture?

The Risk Threshold will determine which risks have an RPN above your acceptable threshold. 

The immediate question that pops up in your head is what is an acceptable threshold? A real mature Management System can answer how this threshold was determined, strategically and confidently.

But especially for Organizations that are building their Management System for the first time, determining the Risk Threshold is too abstract. 

In my opinion, one way to hack this dilemma is to take a bit of a deductive approach.

Once you've scored all risks in your register using the FMEA method:

1. Sort your risks by descending RPN.
2. The risks at the top represent your highest-priority threats.
3. The risks at the bottom are likely tolerable or acceptable.
4. The line you draw between the risks that appear to you that you can live with from the ones that you need to be addressing should be indicating to you your risk threshold.

What’s key is that you document why you’ve deemed certain risks as tolerable and others as critical. Also, this exercise isn’t something you do alone in 2 minutes. It must be a careful discussion between the key decision makers.

This approach should help you overcome an otherwise abstract question you need to resolve. It’s not a perfect approach but it gives you a good framework to start breaking down the problem you’re trying to solve.