Organisations must conduct these information security risk assessments as determined in clause 6.1.2 at planned intervals or when any significant change is proposed in the ISMS. The information security risk assessment is done to assess threats and vulnerabilities to the organisation. This step helps the organisation to factually assess the organisation’s situation. and treat the risks optimally. The organisation must keep these information security risk assessment reports in a documented form.