新版ISO 27001與舊版一樣要求組織要進行風險評鑑, 包含定義與實作風險評鑑流程, see
6.1.2 Information security risk assessment
The organization shall define and apply an information security risk assessment process
但新版ISO 27001與舊版有一點差異, 就是風險識別, 不一定從資產盤點發起, 而是可從大方向找出有那些風險會影響到ISMS實施範圍, 造成機密性, 完整性, 可用性的損失, 進而識別風險擁有者(risk owners), 進而分析, 評估風險, 決定風險處理的選項.
c)identifies the information security risks:
1)apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
2)identify the risk owners;

此外, 適用性聲明(SOA)的要求也與2005版有些差別, 就是要求組織要識別選用的控制措施, 是否已有實作, 標準原文要求如后:
d)produce a Statement of Applicability that contains the necessary controls (see 6.1.3 a), b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;