Information Security Risk Management

Stay informed and in control

Identify, mitigate and manage risks to your organisations data, systems and activities. InfoSaaS allows you to stay in control of your threats and vulnerabilities through an effective risk management approach, intuitive workflows and real-time reporting and escalations. It is worth noting that our risk management framework meets the requirements of the international standard ISO27005 and currently supports the ISO27001 certifications of hundreds of organisations across the world.

“Customers using InfoSaaS to manage their information security risks typically identify up to 50% more areas requiring their urgent attention than conventional, non-quantitative approaches”.

Take a Test Drive

How InfoSaaS helps ...

Policy and Approach

A mandatory requirement of the ISO27001 standard is for organisations to manage risks. There needs to be a documented approach to how these activities are delivered, which is communicated to stakeholders.

InfoSaaS promotes its trusted risk management methodology. This is communicated through the Information Security Policy and Implementation Manual templates which are part of our Document Packs.

Assets, Threats and Vulnerabilities
men using laptops

An effective ISMS needs to identify all of your information data and supporting assets, which may include premises, hardware, software, cloud services and media (amongst others).

InfoSaaS provides a comprehensive set of asset-based risk assessment templates, containing a wide variety of applicable threats and vulnerabilities which have been tailored to the risks of each asset type.

Everything is completely customisable to meet your organisation’s individual needs quickly and easily.

Completion of Risk Assessments

InfoSaaS delivers an intuitive and easy to use asset risk assessment solution. It allows the quantitative assessment of a focused set of threats and vulnerabilities which may have negative consequences on an asset.

Assessments of the probability and impact of each risk are measured against defined parameters, giving the asset owner an opportunity to identify and measure the effectiveness of the security controls which are in place.

Remediating Identified Risks

A thorough risk assessment will highlight those risks which have been assessed as too high for your organisation to accept.

ISO27001 requires that these risks are properly treated. InfoSaaS provides workflow options which will guide your chosen risk treatment activities.

Examples of unacceptable risks and the various options for how they can be treated can be viewed within our InfoSaaS demonstration environment.

Statement of Applicability

ISO27001 requires the production of a Statement of Applicability (SoA) to record which security controls have been selected to control risks and why.

Traditionally a manual and time-consuming process, InfoSaaS automatically produces a real-time SoA based upon your completed risk assessment activities.

Alternative Control Frameworks

By default, InfoSaaS aligns with the control set from  Annex A of ISO27001:2013. This provides a broad foundation for your organisation to manage and process information in the modern technical, internet-connected world.

InfoSaaS includes optional control sets aligned with  ISO27017 (for the security of cloud environments), ISO27018 (for the security of personal data within cloud environments), ISO27701 (for privacy management) and ISO28001 (for supply chain management).


Depending on the size, function or sector of your organisation, risk management activities may seem complex or challenging. Whilst many customers find  they can use our software to deliver the appropriate elements of the ISO27001 standard themselves, others may need a helping hand.

We offer workshops, training or shadowing sessions to guide organisations through the whole process. Please contact us to discuss your specific requirements.

Bespoke Development

We recognise that some organisations have specific risk management requirements, which are not fully met by our standard cloud-based solution.

You may have unique requirements for risk calculations, or need other operational changes, like the presentation of our software in a foreign language. We offer assistance with the incorporation of industry-specific or non-standard security control sets.

“The Bluemetrix team have found the InfoSaaS solution to be both comprehensive and easy to use: it has made a significant contribution to the maturity and robustness of our information security and data protection activities”.

Liam English, CEO

“The InfoSaaS platform has been enormously helpful as we work towards our ISO27001 certification goal. The structure, support and documentation available have allowed us to make quick progress now that we can easily track all of our assets, risks and actions.”

Chris Thompson, Managing Director

“At the end of the certification audit process, the auditor commented how effective our ISMS is. For me it is very satisfying to hear, from an external point of view, that we’re doing things right”.

Linda Jeffery, Project Manager

“If we weren’t using InfoSaaS, we would have had to use countless documents and spreadsheets – and that would have required far more effort!”

Paola Fulchignoni, Security Officer

“InfoSaaS provides an effective and integrated GRC solution, which makes a significant contribution to the information security posture of our clients. It has provided invaluable in guiding customers towards GDPR compliance, and we remain impressed by the new features which are added on a regular basis. Great work!”

Karen Godwin, Director

“It was clear that InfoSaaS was going to be the easiest to use … and was going to help us keep on top of everything properly.”

James Chillman, Managing Director

Learn more

“InfoSaaS provides established and credible solutions for delivering information security and data governance, proven time and again with successful certification results amongst our client portfolio. We have no hesitation in recommending InfoSaaS.”

Martin Law, Information Security Entrepreneur