We present a structured method for performing risk analysis for cloud applications according to the ISO 27001 standard. Our method relies on patterns to describe the context and structure of a cloud computing system (using CSAP), to identify threats, to elicit the security requirements, and to select controls. Our ClouDA tool supports the application of this method. Our approach delivers the following main benefits: • Systematic pattern-based identification of threats using threat patterns and their relationship to CSAP elements, which facilitates and accelerates the threat analysis • Systematic pattern-based identification of security requirements to be fulfilled by appropriate controls using security requirement patterns and their relationship to threat patterns • Systematic pattern-based identification of controls using their relationship to security requirement patterns • Tool support for our approach • Increased effectiveness of risk analysis by applying the method and reduced documentation effort by hierarchical refinement of assets. In the future, we want to extend the tool for supporting other types of patterns for performing risk analysis. In addition, we intend to enrich the tool so as to check the complete and coherent instantiation of the patterns.