Security budgets get spent every year. Controls get implemented. Policies get written. And organisations still get breached, still miss incident notification deadlines, and still find themselves unable to demonstrate to a regulator that their measures are proportionate.
In almost every case, the same root cause emerges: the organisation never clearly identified what it was actually protecting, what it was protecting it from, and how likely and serious those threats really were. Security was reactive — a response to incidents, audit findings, and vendor recommendations — rather than the product of deliberate, evidence-based decisions. This is the problem that structured risk management solves. And under ZInfV-1, it is not optional — proportionate security measures cannot be defined without a credible picture of the risks that make them necessary.
1. Why most organisations don't actually know their risks
Ask almost any organisation what their biggest information security risk is, and you will get an answer. It will usually reflect the last incident they experienced, the most recent vendor conversation they had, or the control they most recently implemented.
What it will rarely reflect is a structured assessment of the assets that matter most to the business, the realistic threats those assets face, the vulnerabilities that make those threats exploitable, and the likelihood and impact of the scenarios that emerge from that analysis.
The gap between a confident answer and a well-evidenced one is where regulatory and operational exposure lives. An organisation that cannot demonstrate how it identified its risks cannot demonstrate that its security measures are proportionate to them — which is precisely what ZInfV-1 requires.
ZINFV-1 REQUIREMENT
ZInfV-1 requires essential and important entities to implement security measures that are proportionate to the risks they face. Proportionality is not a judgment call — it is a documented position, grounded in a formal risk assessment. A regulator examining your security posture will ask to see the analysis that justifies the measures you have chosen.
2. The risk assessment most organisations are doing — and why it isn't enough
Many organisations conduct something they call a risk assessment. It typically involves a workshop, a spreadsheet of risks rated high/medium/low, and a treatment plan that maps neatly onto the controls they already have.
This exercise has value. But it has two common failure modes that undermine its usefulness as the basis for a security programme.
Failure mode 1: Risk identification without context
A risk assessment that begins with a generic list of threats — ransomware, phishing, insider risk — rather than a specific analysis of the organisation's own assets, processes, and dependencies will produce generic results. Generic results lead to generic controls. Generic controls leave organisation-specific gaps. Effective risk identification starts with the asset landscape established in the organisational context work: the systems, data, processes, and relationships that the business actually depends on. Threats are then assessed in relation to those specific assets — not as abstract categories.
Failure mode 2: Assessment as project, not process
A risk assessment conducted once — typically to satisfy a client requirement, an audit, or a certification application — and then filed captures a snapshot of the organisation's risk picture at a single point in time. The threat landscape changes. The organisation changes. The snapshot becomes outdated, but the security programme continues to be managed against it.
The organisations that consistently demonstrate strong security posture treat risk management as a continuous discipline rather than a periodic project. Their risk register is a living document, reviewed formally at defined intervals and updated whenever significant changes occur — new suppliers, new services, new regulations, new threat intelligence.
3. Turning risk assessment into security objectives
A risk assessment without consequences is an academic exercise. The practical purpose of understanding your risks is to make better decisions — about which controls to prioritise, where to invest, and what to communicate to leadership.
ISO 27001 requires organisations to establish measurable information security objectives derived from the risk assessment. These objectives translate the risk picture into specific, time-bound commitments: reducing the attack surface for a critical system, achieving a defined response time for incident detection, completing a supply chain security review for key suppliers.
Objectives also give leadership something concrete to govern against. A board that receives a risk register and a set of objectives tied to it — rather than a general security update — can make meaningful decisions about resource allocation and risk appetite. This is the kind of governance that ZInfV-1 expects to see demonstrated.
PRACTICAL NOTE
Security objectives should be SMART: specific, measurable, achievable, relevant to identified risks, and time-bound. 'Improve security' is not an objective. 'Reduce mean time to detect a security event from 72 hours to 24 hours by Q3, by implementing centralised log monitoring' is.
4. The planning gap is where ZInfV-1 exposure accumulates
Organisations subject to ZInfV-1 that have not conducted a structured risk assessment are not simply missing a standard requirement. They are unable to demonstrate that any of their security measures are proportionate — because proportionality requires a documented risk baseline to measure against.
More practically: they are likely protecting the wrong things. Without a current, evidence-based risk picture, security investment follows habit, vendor relationships, and past incidents rather than actual exposure. The controls that look most impressive on paper are often not the ones addressing the highest risks.
Getting the planning right — a structured risk assessment, a maintained risk register, documented treatment decisions, and measurable security objectives — is not a compliance formality. It is the foundation that makes every other element of the security programme coherent and defensible.
NOT SURE WHAT YOUR BIGGEST RISKS ACTUALLY ARE?
Most organisations aren't — until they look properly. We work with organisations across Slovenia and the EU to conduct structured risk assessments grounded in their specific context, produce risk registers that hold up to regulatory scrutiny, and turn risk findings into security objectives that leadership can actually govern against. Our free Information Security Maturity Assessment is a useful starting point. And if you would like to talk about what a proper risk assessment would involve for your organisation, we offer a free 30-minute consultation.
Series continues — next week: Support (ISO 27001, Clause 7)