Running ISO 27001 and 42001 risk assessment in HubSpot

Close the coverage, stale ratings, and treatment evidence gaps.

Three risk-assessment problems HubSpot solves

New assets and AI tools get added but never assessed. The risk register covers the estate you had at certification, not the one touching data today.

Risks get rated once, then left. By the next audit the ratings describe a business that has moved on, and no one can say when they were last reviewed.

A risk gets a treatment on paper, but the control is never linked or evidenced. The Statement of Applicability claims more than the register can show.

Why does a risk rating need a defined matrix behind it?

A risk lives as a record with likelihood and impact chosen against defined bands, not numbered one to five and left vague. So the rating rests on criteria you set in advance, the way 27001 clause 6.1.2 expects. The matrix is your acceptance criteria made concrete.
The rating is calculated, not typed. A calculated property derives inherent risk from the two inputs by a fixed rule, then residual risk the same way after treatment. The logic is a published grid anyone can read, so the number is reproducible and auditable.
Where the bands are anchored to something concrete, the rating means something. Vague scales give a confident number resting on nothing. The register's worth is decided in the band definitions, not the multiplication.

Why does a risk rating need a defined matrix behind it?

Why does the register cover last year's estate, not today's?

The risk register reads the asset and AI use registers, so a new tool or AI use case surfaces as something awaiting assessment. Coverage tracks the real estate rather than the one frozen at certification. The agent we run on our own setup drafts the skeleton and lists what has no rating yet.
It patrols for staleness too: risks not reviewed in a set period, treatments with no owner, ratings that breach your criteria. A review date sits on each record and a workflow surfaces it. Re-assessment is prompted before a rating goes stale, not discovered at audit.
The agent drafts and patrols; it never rates. Where it suggests a likelihood or impact, the record shows the suggestion, the value a human confirmed, and the rating the matrix derived, side by side. The judgement stays yours and stays visible.

Why does the register cover last year's estate, not today's?

Why does the Statement of Applicability claim more than you can show?

Each risk links to its treatment and the control that delivers it. So the Statement of Applicability reads from the register rather than asserting controls separately. A control claimed in the SoA traces to a treated risk and the evidence behind it.
Residual risk is recorded after treatment, against the same matrix. You can show which risks remain above your acceptance threshold and what is being done about them. The treatment plan is a live view, not a document filed once.
When a risk, its treatment, its control, and its evidence sit on one connected trail, the SoA stops outrunning reality. The auditor reads a register that backs its own claims. Nothing on paper lacks something behind it.

Why does the Statement of Applicability claim more than you can show?

Data_Library_Illustrations_Color_LightBG

Name Almero Student

5 Stars – Outstanding Experience with PYB UK!

"Their forward-thinking approach and ability to suggest innovative, practical solutions really stood out."

Ahmed Hassan

Project Manager

Ready to discuss your HubSpot project?

Let's take our relationship up a level.

Simply fill in the form below...

(I'll get back to you ASAP)

Prefer another way?

FAQs

How long does it take to set up risk assessment in HubSpot?

Four to six weeks, assuming the asset and AI registers it reads from exist. Weeks one to two define the matrix: likelihood and impact bands, the calculated rating, and your acceptance threshold. Weeks three to four model the risk object, link it to treatments and controls, and import your current register. Weeks five to six add the review-date workflow and the preparation-and-patrol agent, then train the owners who rate.

Can HubSpot model a risk register with a likelihood and impact matrix?

Yes. A risk is a custom object carrying likelihood and impact as enumeration properties with anchored bands. A calculated property derives the rating, and the same pattern gives residual risk after treatment. Risks associate with the assets or AI use cases they concern and with the treatments and controls that address them. PYB builds the matrix as configured criteria, so the rating is reproducible rather than typed in by hand.

Does this satisfy ISO 27001 clause 6.1.2 and ISO 42001 risk requirements?

It supports them. Clause 6.1.2 expects defined risk criteria, a repeatable assessment, and recorded results; the matrix and the risk object hold all three. Clause 6.1.3 expects treatment and a Statement of Applicability; the linked treatments and controls feed it. ISO 42001's clause 6.1 and its A.5 impact assessment attach to the AI use cases. The system records and surfaces; your risk owner sets the criteria and signs the ratings.

What HubSpot products does risk assessment need?

Custom Objects, on an Enterprise tier, model the risk register and its links to assets, AI use cases, treatments, and controls. Calculated properties derive the ratings. Operations Hub runs the agent and the data quality automation. Sales Hub or Service Hub Professional gives owners the records, review tasks, and reminders. The register sits alongside your existing 27001 and 42001 objects in one HubSpot.

Is HubSpot secure enough to hold a risk register?

HubSpot maintains SOC 2 Type II and ISO 27001 certification. PYB holds ISO 27001, ISO 9001, and ISO 42001, plus HubSpot's data migration and custom integrations accreditations. A risk register is your most sensitive governance record: it names your weaknesses and their likelihood. The platform and the partner are certified to the standards the register serves.

Talk to PYB about running ISO risk assessment in HubSpot.

A 15-minute call to walk through your risk register, your matrix, and what keeping it current without the AI making the call looks like. No prep, no pitch deck.

Explore GuardHub