October 13, 2025 • 17 mins
Clause 6.1.2 requires the organization to define and apply a consistent methodology for information security risk assessment. This methodology must specify how risks are identified, analyzed, evaluated, and prioritized. For exam purposes, candidates must understand that the process must be repeatable, evidence-based, and aligned with the organization’s objectives and risk appetite. The methodology must also determine risk acceptance criteria, define likelihood and impact scales, and establish clear evaluation rules. The ultimate goal is to ensure comparability across assessments and to support defensible, data-driven decision-making that integrates with the ISMS lifecycle.
In practice, auditors expect to see documented risk assessment procedures and examples of their application. Techniques may include qualitative, quantitative, or hybrid scoring, often supported by heat maps or matrices. A common pitfall is treating risk assessment as a one-time exercise instead of an ongoing activity linked to operational changes. Candidates should understand how a sound methodology drives traceability between threats, vulnerabilities, and controls. Linking risks directly to the Statement of Applicability (SoA) strengthens audit readiness and ensures that control selection aligns with business priorities. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Clause 6.1.2 of ISO 27001 establishes the requirement for organizations to define a formal, consistent methodology for assessing risks within the Information Security Management System. This clause transforms risk management from a conceptual activity into a repeatable and auditable process. Its purpose is to ensure that every identified risk is evaluated using the same structured approach, producing results that are objective, comparable, and defensible. Without a defined methodology, risk assessment becomes subjective, dependent on individual judgment rather than organizational discipline. Clause 6.1.2 also connects directly to control selection and treatment planning—every decision about which controls to implement must be based on the results of an established risk assessment process. The methodology, therefore, provides the analytical backbone of the ISMS and is essential for demonstrating maturity during audit and certification.
(01:01):
A well-designed risk assessment methodology must contain several core elements that together form a complete framework. The first is a clear process for identifying risks—how the organization discovers and documents events or conditions that could affect the confidentiality, integrity, or availability of information. Next are the criteria for analyzing and evaluating those risks, including the metrics or indicators used to assess likelihood and impact. Defined scales for measurement are essential, whether they are numerical or descriptive, to ensure consistent interpretation. Finally, the methodology must establish the rules for risk acceptance—what levels of risk are considered tolerable and who has the authority to make those determinations. These elements collectively create a system for assessing risk that is both transparent and repeatable, giving decision-makers reliable data for prioritization and response.
(01:58):
Consistency is the foundation of any credible risk assessment process. When each department or assessor applies different criteria, results become unreliable and comparisons lose meaning. A consistent methodology eliminates such variation by enforcing uniform definitions, scoring systems, and evaluation processes across the organization. This uniformity allows risk data to be aggregated and analyzed over time, revealing trends and measuring improvement. It also ensures fairness—no team is unfairly penalized or overlooked due to inconsistent evaluation methods. From an auditor’s perspective, consistency strengthens confidence in the ISMS because it demonstrates that the organization is managing risk as a unified system rather than as fragmented silos. In practice, this means that every identified risk, whether technical, operational, or strategic, is assessed using the same structured lens.
(02:54):
The methodology for ISMS risk assessment should not exist in isolation; it must align with the organization’s broader risk management framework. Many organizations already follow enterprise-wide standards for risk governance, such as those defined in ISO 31000 or COSO. Integrating the ISMS methodology into these frameworks ensures compatibility with corporate governance, board-level reporting, and enterprise risk registers. This integration also reduces duplication of effort—security risks become part of the organization’s overall risk landscape rather than existing in a separate domain. When board members or regulators review the organization’s risk posture, they can see that information security risks are assessed with the same rigor as financial, operational, or compliance risks. This alignment reinforces both the credibility and the efficiency of the ISMS.
(03:48):
Designing the steps for identifying risks requires collaboration and clarity. Organizations may choose an asset-based approach, where risks are assessed according to the assets they affect—servers, applications, or data repositories. Others may adopt a scenario-based approach, analyzing possible threat situations such as ransomware attacks, insider misuse, or supplier failure. A hybrid model often works best, combining the specificity of assets with the realism of threat scenarios. Risk identification should include both technical and business perspectives to capture a full range of potential issues. Legal, operational, and reputational factors should be considered alongside cyber threats. Every identified risk must be documented, typically in a risk register that records details such as source, owner, and potential impact. This documentation provides the traceability that auditors and decision-makers rely on when verifying the integrity of the ISMS.
(04:51):
Once risks are identified, they must be analyzed to understand their significance. Analysis involves assessing two main variables—likelihood and impact. Likelihood measures how probable it is that a particular risk will occur, while impact estimates the potential damage to organizational objectives if it does. The methodology should specify how these variables are evaluated, whether qualitatively through descriptive scales (low, medium, high) or quantitatively through numerical or financial metrics. Some organizations use mixed methods, combining objective data with expert judgment to achieve balanced assessments. The results must be recorded in a structured format, often as part of the same risk register, allowing easy comparison and aggregation. This step turns a list of potential issues into actionable intelligence, enabling prioritization and treatment planning.
(05:44):
Evaluating risks goes a step further by comparing the analysis results against predefined risk acceptance criteria. These criteria define what the organization considers acceptable, tolerable, or intolerable risk. Evaluations help prioritize which risks require immediate action, which can be accepted under monitoring, and which fall within acceptable limits. High-impact, high-likelihood risks are flagged for urgent treatment, while low-impact risks may be accepted or deferred. The evaluation process ensures that resources are directed efficiently—toward the most significant threats and opportunities. It also creates a documented justification for decision-making, demonstrating to auditors that risk acceptance and mitigation are both deliberate and informed. Clear evaluation criteria also prevent overreaction, helping organizations manage risk pragmatically rather than emotionally.
(06:38):
Documentation is the anchor that holds the entire methodology together. Clause 6.1.2 explicitly requires that the risk assessment methodology be written, controlled, and consistently applied. This means it should exist as a formal ISMS document, subject to version control, approval, and review cycles. It must be referenced in procedures and training materials so that all assessors use the same method. The results of applying this methodology—risk registers, analysis reports, and evaluation summaries—must also be retained as auditable evidence. As the organization evolves, the methodology should be updated to reflect changes in technology, regulatory obligations, or strategic direction. Regular review ensures that the process remains aligned with the organization’s maturity and context. A well-documented methodology not only satisfies auditors but also strengthens internal governance, creating a reliable, repeatable foundation for decision-making.
(07:38):
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Auditors assessing Clause 6.1.2 look closely for evidence that the organization has developed and consistently applied a formal risk assessment methodology. They expect to see the methodology documented in the ISMS, accessible for review, and approved by management. Beyond the existence of the document, auditors look for proof of its consistent use—showing that every assessment, regardless of department or scope, follows the same process and criteria. They also trace the connection between identified risks and the selected controls used to mitigate them. This traceability demonstrates that control decisions are evidence-based, not arbitrary. Mature organizations can show a clear line from risk identification through assessment, evaluation, and treatment planning. Finally, auditors seek assurance that opportunities were also considered during the assessment, as Clause 6.1 requires a balanced view of both threats and potential improvements.
(08:50):
Despite its importance, many organizations struggle to design and maintain an effective risk assessment methodology. One of the most common mistakes is creating criteria that are vague or inconsistent, leading to unpredictable scoring and poor comparability across assessments. Another issue arises when methodologies become overly complex—introducing convoluted scoring formulas or excessive data requirements that make the process impractical. Such models tend to collapse under operational pressure because staff lack the time or clarity to apply them consistently. A further pitfall is excluding relevant stakeholders, particularly business or legal representatives, resulting in an overly technical focus that misses business risk implications. Finally, risk acceptance criteria are often poorly defined or undocumented, leaving decision-makers uncertain about when a risk is tolerable. These weaknesses not only reduce the accuracy of risk assessments but also undermine the ISMS’s credibility during audits.
(09:52):
To avoid these pitfalls, organizations can follow several best practices when creating or refining their risk assessment methodology. Alignment with ISO 31000—the international standard for risk management—is an excellent starting point. ISO 31000 provides guiding principles for identifying, analyzing, evaluating, and treating risk within a structured framework. Keeping the model simple and usable is equally important; a methodology that can be applied quickly and consistently will always outperform one that is theoretically elegant but impractical. Tailoring the approach to the organization’s context, size, and resources ensures relevance. For a small firm, a three-level qualitative matrix might suffice; for a multinational, a hybrid model combining quantitative and qualitative measures may be more appropriate. Finally, the methodology should be reviewed annually to confirm it still reflects the organization’s context, threat environment, and governance maturity. A review at least once per management cycle ensures that the process evolves with the organization rather than stagnating.
(10:58):
Risk scoring models can take many forms, and the best choice depends on the organization’s needs and sophistication. A simple 1–5 matrix for likelihood and impact remains the most widely used method. It offers clarity and accessibility, allowing teams to quickly visualize risk severity by combining probability and consequence scores. Heat maps derived from this matrix help leadership prioritize risks visually, making decision-making more intuitive. Some organizations assign monetary values to quantify potential losses, which can be especially effective in financial and manufacturing sectors where costs are measurable. Others use hybrid models that mix qualitative descriptors with quantitative weighting, giving a more nuanced picture of complex risks. Regardless of the method, consistency and clarity are more important than precision—auditors are more impressed by a coherent, consistently applied model than by one that is mathematically sophisticated but inconsistently used.
(12:00):
Clause 6.1.2 also emphasizes the integration of the risk assessment methodology within the broader ISMS lifecycle. During the Plan-Do-Check-Act cycle, the methodology is applied in the planning phase to identify and prioritize risks. These results then inform the selection of controls in Annex A, ensuring that mitigation efforts align with the most significant risks. The methodology also supports the development of ISMS objectives under Clause 6.2, translating strategic intent into measurable risk-based outcomes. As the ISMS matures, data generated through the methodology feeds into Clause 9’s monitoring and measurement activities, where performance is evaluated, and into Clause 10’s continual improvement process. This integration transforms the methodology from a compliance artifact into a dynamic management tool that informs every stage of the ISMS, ensuring continuous alignment between risk posture and business direction.
(13:03):
A robust, well-documented risk assessment methodology offers substantial benefits to the organization. It enables objective, evidence-based decision-making across all ISMS functions, reducing reliance on intuition or isolated judgment. It provides transparency, allowing leadership and stakeholders to see how risks are prioritized and addressed. This transparency builds confidence, both internally and externally, that information security decisions are rational and defensible. The methodology also helps allocate resources more efficiently—directing attention to the areas of highest impact rather than spreading effort thinly across minor concerns. Over time, consistent application of the methodology supports the development of trend data, enabling predictive analysis and strategic foresight. These advantages collectively strengthen the ISMS, transforming risk management from a reactive activity into a cornerstone of governance and resilience.
(14:04):
The methodology is not static—it should evolve as the organization’s environment and priorities change. For instance, a financial institution may adapt its model to give higher weight to regulatory and compliance risks as new legislation emerges. A technology company might prioritize intellectual property protection and software supply chain security in response to increased industry targeting. Healthcare organizations often tailor their risk assessment processes to emphasize patient safety and data privacy. Global enterprises may harmonize criteria across regions to ensure that risk scores are comparable and reporting remains consistent at the corporate level. These adaptations ensure that the methodology remains relevant, actionable, and aligned with strategic goals while still preserving the consistency and comparability required by ISO 27001.
(14:58):
A well-implemented risk assessment methodology delivers strategic value far beyond compliance. It embeds risk awareness into the organizational culture, making employees and managers alike more attuned to how their actions influence security outcomes. It strengthens relationships with auditors, regulators, and partners by demonstrating professional governance and evidence-based control selection. Over time, the methodology becomes an instrument of continuous learning, ensuring that the ISMS adapts intelligently to evolving threats, technologies, and business objectives. By institutionalizing disciplined risk assessment practices, organizations not only protect assets but also enhance their capacity to make informed, strategic decisions that balance risk with opportunity. This alignment of method, governance, and culture is the hallmark of ISMS maturity and a prerequisite for long-term resilience.
(15:53):
In conclusion, Clause 6.1.2 requires organizations to define and maintain a clear, consistent, and documented risk assessment methodology. This methodology provides the structure that turns uncertainty into actionable insight, supporting control selection, audit credibility, and strategic alignment. When designed around ISO 31000 principles and tailored to organizational context, it ensures both objectivity and usability. A robust risk methodology is the ISMS’s analytical compass—guiding decision-making, proving due diligence, and strengthening trust. With this foundation in place, the organization can now progress naturally to Clause 6.1.3, where risk treatment planning transforms assessment results into concrete, prioritized actions that reduce risk and enhance security performance.
Clause 6.1.2 of ISO 27001 establishes the requirement for organizations to define a formal, consistent methodology for assessing risks within the Information Security Management System. This clause transforms risk management from a conceptual activity into a repeatable and auditable process. Its purpose is to ensure that every identified risk is evaluated using the same structured approach, producing results that are objective, comparable, and defensible. Without a defined methodology, risk assessment becomes subjective, dependent on individual judgment rather than organizational discipline. Clause 6.1.2 also connects directly to control selection and treatment planning—every decision about which controls to implement must be based on the results of an established risk assessment process. The methodology, therefore, provides the analytical backbone of the ISMS and is essential for demonstrating maturity during audit and certification.
(01:01):
A well-designed risk assessment methodology must contain several core elements that together form a complete framework. The first is a clear process for identifying risks—how the organization discovers and documents events or conditions that could affect the confidentiality, integrity, or availability of information. Next are the criteria for analyzing and evaluating those risks, including the metrics or indicators used to assess likelihood and impact. Defined scales for measurement are essential, whether they are numerical or descriptive, to ensure consistent interpretation. Finally, the methodology must establish the rules for risk acceptance—what levels of risk are considered tolerable and who has the authority to make those determinations. These elements collectively create a system for assessing risk that is both transparent and repeatable, giving decision-makers reliable data for prioritization and response.
(01:58):
Consistency is the foundation of any credible risk assessment process. When each department or assessor applies different criteria, results become unreliable and comparisons lose meaning. A consistent methodology eliminates such variation by enforcing uniform definitions, scoring systems, and evaluation processes across the organization. This uniformity allows risk data to be aggregated and analyzed over time, revealing trends and measuring improvement. It also ensures fairness—no team is unfairly penalized or overlooked due to inconsistent evaluation methods. From an auditor’s perspective, consistency strengthens confidence in the ISMS because it demonstrates that the organization is managing risk as a unified system rather than as fragmented silos. In practice, this means that every identified risk, whether technical, operational, or strategic, is assessed using the same structured lens.
(02:54):
The methodology for ISMS risk assessment should not exist in isolation; it must align with the organization’s broader risk management framework. Many organizations already follow enterprise-wide standards for risk governance, such as those defined in ISO 31000 or COSO. Integrating the ISMS methodology into these frameworks ensures compatibility with corporate governance, board-level reporting, and enterprise risk registers. This integration also reduces duplication of effort—security risks become part of the organization’s overall risk landscape rather than existing in a separate domain. When board members or regulators review the organization’s risk posture, they can see that information security risks are assessed with the same rigor as financial, operational, or compliance risks. This alignment reinforces both the credibility and the efficiency of the ISMS.
(03:48):
Designing the steps for identifying risks requires collaboration and clarity. Organizations may choose an asset-based approach, where risks are assessed according to the assets they affect—servers, applications, or data repositories. Others may adopt a scenario-based approach, analyzing possible threat situations such as ransomware attacks, insider misuse, or supplier failure. A hybrid model often works best, combining the specificity of assets with the realism of threat scenarios. Risk identification should include both technical and business perspectives to capture a full range of potential issues. Legal, operational, and reputational factors should be considered alongside cyber threats. Every identified risk must be documented, typically in a risk register that records details such as source, owner, and potential impact. This documentation provides the traceability that auditors and decision-makers rely on when verifying the integrity of the ISMS.
(04:51):
Once risks are identified, they must be analyzed to understand their significance. Analysis involves assessing two main variables—likelihood and impact. Likelihood measures how probable it is that a particular risk will occur, while impact estimates the potential damage to organizational objectives if it does. The methodology should specify how these variables are evaluated, whether qualitatively through descriptive scales (low, medium, high) or quantitatively through numerical or financial metrics. Some organizations use mixed methods, combining objective data with expert judgment to achieve balanced assessments. The results must be recorded in a structured format, often as part of the same risk register, allowing easy comparison and aggregation. This step turns a list of potential issues into actionable intelligence, enabling prioritization and treatment planning.
(05:44):
Evaluating risks goes a step further by comparing the analysis results against predefined risk acceptance criteria. These criteria define what the organization considers acceptable, tolerable, or intolerable risk. Evaluations help prioritize which risks require immediate action, which can be accepted under monitoring, and which fall within acceptable limits. High-impact, high-likelihood risks are flagged for urgent treatment, while low-impact risks may be accepted or deferred. The evaluation process ensures that resources are directed efficiently—toward the most significant threats and opportunities. It also creates a documented justification for decision-making, demonstrating to auditors that risk acceptance and mitigation are both deliberate and informed. Clear evaluation criteria also prevent overreaction, helping organizations manage risk pragmatically rather than emotionally.
(06:38):
Documentation is the anchor that holds the entire methodology together. Clause 6.1.2 explicitly requires that the risk assessment methodology be written, controlled, and consistently applied. This means it should exist as a formal ISMS document, subject to version control, approval, and review cycles. It must be referenced in procedures and training materials so that all assessors use the same method. The results of applying this methodology—risk registers, analysis reports, and evaluation summaries—must also be retained as auditable evidence. As the organization evolves, the methodology should be updated to reflect changes in technology, regulatory obligations, or strategic direction. Regular review ensures that the process remains aligned with the organization’s maturity and context. A well-documented methodology not only satisfies auditors but also strengthens internal governance, creating a reliable, repeatable foundation for decision-making.
(07:38):
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Auditors assessing Clause 6.1.2 look closely for evidence that the organization has developed and consistently applied a formal risk assessment methodology. They expect to see the methodology documented in the ISMS, accessible for review, and approved by management. Beyond the existence of the document, auditors look for proof of its consistent use—showing that every assessment, regardless of department or scope, follows the same process and criteria. They also trace the connection between identified risks and the selected controls used to mitigate them. This traceability demonstrates that control decisions are evidence-based, not arbitrary. Mature organizations can show a clear line from risk identification through assessment, evaluation, and treatment planning. Finally, auditors seek assurance that opportunities were also considered during the assessment, as Clause 6.1 requires a balanced view of both threats and potential improvements.
(08:50):
Despite its importance, many organizations struggle to design and maintain an effective risk assessment methodology. One of the most common mistakes is creating criteria that are vague or inconsistent, leading to unpredictable scoring and poor comparability across assessments. Another issue arises when methodologies become overly complex—introducing convoluted scoring formulas or excessive data requirements that make the process impractical. Such models tend to collapse under operational pressure because staff lack the time or clarity to apply them consistently. A further pitfall is excluding relevant stakeholders, particularly business or legal representatives, resulting in an overly technical focus that misses business risk implications. Finally, risk acceptance criteria are often poorly defined or undocumented, leaving decision-makers uncertain about when a risk is tolerable. These weaknesses not only reduce the accuracy of risk assessments but also undermine the ISMS’s credibility during audits.
(09:52):
To avoid these pitfalls, organizations can follow several best practices when creating or refining their risk assessment methodology. Alignment with ISO 31000—the international standard for risk management—is an excellent starting point. ISO 31000 provides guiding principles for identifying, analyzing, evaluating, and treating risk within a structured framework. Keeping the model simple and usable is equally important; a methodology that can be applied quickly and consistently will always outperform one that is theoretically elegant but impractical. Tailoring the approach to the organization’s context, size, and resources ensures relevance. For a small firm, a three-level qualitative matrix might suffice; for a multinational, a hybrid model combining quantitative and qualitative measures may be more appropriate. Finally, the methodology should be reviewed annually to confirm it still reflects the organization’s context, threat environment, and governance maturity. A review at least once per management cycle ensures that the process evolves with the organization rather than stagnating.
(10:58):
Risk scoring models can take many forms, and the best choice depends on the organization’s needs and sophistication. A simple 1–5 matrix for likelihood and impact remains the most widely used method. It offers clarity and accessibility, allowing teams to quickly visualize risk severity by combining probability and consequence scores. Heat maps derived from this matrix help leadership prioritize risks visually, making decision-making more intuitive. Some organizations assign monetary values to quantify potential losses, which can be especially effective in financial and manufacturing sectors where costs are measurable. Others use hybrid models that mix qualitative descriptors with quantitative weighting, giving a more nuanced picture of complex risks. Regardless of the method, consistency and clarity are more important than precision—auditors are more impressed by a coherent, consistently applied model than by one that is mathematically sophisticated but inconsistently used.
(12:00):
Clause 6.1.2 also emphasizes the integration of the risk assessment methodology within the broader ISMS lifecycle. During the Plan-Do-Check-Act cycle, the methodology is applied in the planning phase to identify and prioritize risks. These results then inform the selection of controls in Annex A, ensuring that mitigation efforts align with the most significant risks. The methodology also supports the development of ISMS objectives under Clause 6.2, translating strategic intent into measurable risk-based outcomes. As the ISMS matures, data generated through the methodology feeds into Clause 9’s monitoring and measurement activities, where performance is evaluated, and into Clause 10’s continual improvement process. This integration transforms the methodology from a compliance artifact into a dynamic management tool that informs every stage of the ISMS, ensuring continuous alignment between risk posture and business direction.
(13:03):
A robust, well-documented risk assessment methodology offers substantial benefits to the organization. It enables objective, evidence-based decision-making across all ISMS functions, reducing reliance on intuition or isolated judgment. It provides transparency, allowing leadership and stakeholders to see how risks are prioritized and addressed. This transparency builds confidence, both internally and externally, that information security decisions are rational and defensible. The methodology also helps allocate resources more efficiently—directing attention to the areas of highest impact rather than spreading effort thinly across minor concerns. Over time, consistent application of the methodology supports the development of trend data, enabling predictive analysis and strategic foresight. These advantages collectively strengthen the ISMS, transforming risk management from a reactive activity into a cornerstone of governance and resilience.
(14:04):
The methodology is not static—it should evolve as the organization’s environment and priorities change. For instance, a financial institution may adapt its model to give higher weight to regulatory and compliance risks as new legislation emerges. A technology company might prioritize intellectual property protection and software supply chain security in response to increased industry targeting. Healthcare organizations often tailor their risk assessment processes to emphasize patient safety and data privacy. Global enterprises may harmonize criteria across regions to ensure that risk scores are comparable and reporting remains consistent at the corporate level. These adaptations ensure that the methodology remains relevant, actionable, and aligned with strategic goals while still preserving the consistency and comparability required by ISO 27001.
(14:58):
A well-implemented risk assessment methodology delivers strategic value far beyond compliance. It embeds risk awareness into the organizational culture, making employees and managers alike more attuned to how their actions influence security outcomes. It strengthens relationships with auditors, regulators, and partners by demonstrating professional governance and evidence-based control selection. Over time, the methodology becomes an instrument of continuous learning, ensuring that the ISMS adapts intelligently to evolving threats, technologies, and business objectives. By institutionalizing disciplined risk assessment practices, organizations not only protect assets but also enhance their capacity to make informed, strategic decisions that balance risk with opportunity. This alignment of method, governance, and culture is the hallmark of ISMS maturity and a prerequisite for long-term resilience.
(15:53):
In conclusion, Clause 6.1.2 requires organizations to define and maintain a clear, consistent, and documented risk assessment methodology. This methodology provides the structure that turns uncertainty into actionable insight, supporting control selection, audit credibility, and strategic alignment. When designed around ISO 31000 principles and tailored to organizational context, it ensures both objectivity and usability. A robust risk methodology is the ISMS’s analytical compass—guiding decision-making, proving due diligence, and strengthening trust. With this foundation in place, the organization can now progress naturally to Clause 6.1.3, where risk treatment planning transforms assessment results into concrete, prioritized actions that reduce risk and enhance security performance.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.