Is risk assessment methodology required to be documented by ISO 27001?

The requirement for documenting a risk assessment methodology is clearly outlined in ISO 27001. The standard emphasizes the importance of establishing a systematic approach to risk assessment, which involves identifying, analyzing, and evaluating risks to information security within an organization. Documenting this methodology allows an organization to ensure consistency in how risks are assessed and managed over time.

Having a documented risk assessment methodology provides several advantages: it offers clarity to auditors and stakeholders about how risks are identified and treated, and it serves as a reference point for any future assessments or audits. Furthermore, the documentation helps in demonstrating compliance with the standard and provides a basis for continuous improvement, as organizations can track changes and updates to the risk assessment process.

In contrast, options suggesting that documentation is not required, only necessary under specific conditions, or limited to large projects would undermine the framework's purpose of establishing a comprehensive and consistent approach to risk management, making it essential for all organizations regardless of size or project scale.