The ISO 27001 standard is a risk based management system that requires an organisation to select appropriate risk treatment options based on the risk assessment results.
In this ultimate guide to ISO 27001:2022 Clause 6.1.3 Information Security Risk Treatment you will learn
- What ISO 27001 Clause 4.1 is
- How to implement it
- Example Risk Treatment Options
- Example Risk Assessments
What is ISO 27001 Clause 6.1.3 ?
This clause is all about risk treatment.
The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process and to treat those risks appropriately.
It is, after all, a risk based management system. Not a rule based system.
That risk treatment process has to set out risk criteria which are the parameters of your risk management.
What are the ISO 27001:2022 Changes to Clause 6.1.3?
The changes to ISO 27001 Clause 6.1.3 are minor but important
- Changing the wording of 6.1.3 c to now reference Annex A as containing a list of possible information security controls. This is a change from it containing a comprehensive list of control objectives.
- Removing the wording that control objectives are implicitly included in the controls chosen. Changing from the control objectives listed in Annex A as being not exhaustive with additional controls may being needed to the wording of Information Security Controls listed in Annex. Change the word control objectives to controls.
- Changing the sentence of 6.1.3 d into a list for ease of reading
- Changing the words ‘International Standard’ to the word ‘document’
Overall these are clarification changes and not material.
Implementation Guide
Risk Treatment Options
You are expected to select appropriate information security risk treatment options, taking account of the risk assessment results.
Risk treatment options can include
- accepting the risk
- treating the risk
- mitigating the risk
- transfer the risk
- avoiding the risk
Risk Controls
Risk controls where required as necessary are identified and the information security risk treatment option(s) is chosen. A great place to identify what those controls are is in the Statement of Applicability ( SOA ). This is the list of ISO 27002 / Annex A controls that apply to you. Of course if you have not defined your Statement of Applicability yet then you can choose directly from the ISO 27002 / Annex A control list.
Of course there may be additional controls that you want to consider but the ISO 27001 standard and the provided list of Annex A controls is designed specifically as a common sense set of controls. It therefore makes perfect sense to you that list of controls as the controls you will use to mitigate risk. It also helps with your ISO 27001 certification by staying on point.
You will compare the controls determined in 6.1.3 above with those in ISO 27001 Annex A and verify that no necessary controls have been omitted.
Statement of Applicability (SOA)
It is down to you to produce a Statement of Applicability that contains the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.
As mentioned the Statement of Applicability is not a particular difficult or complex document. Moreover it is just a list of controls with a date they were assessed and if they are not applicable why not. Don’t over think it.
Risk Treatment Plan
Once you have decided on what your risk treatment will be then you need a plan to address it.
For risks that you accept you will want to update the risk register and then minute that you accepted the risks at an appropriate Management Review Team Meeting.
For other risks you will formulate a plan. The plan will include what you will do, who will do it, when they will do and a check of the results.
Once the risk treatment has completed you will then risk assess again using the new controls in place. This gives you what is called Residual Risk. All of this is documented in the risk register.
Risk Treatment Approval
Risk owners will approve the risk treatment plan and the acceptance of the residual information security risks. This will also be shared at the next Management Review Team meeting and agreed and minuted.
ISO 27001 Templates
ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.
Tthese individual templates help meet the specific requirements of ISO 27001 clause 6.1.2.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
FAQ
The ISO 27001 standard requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria.
You can download ISO 27001 6.1.3 Information Security Risk Treatment templates in the ISO 27001 Toolkit.
An example of Clause 6.1.3 Information Security Risk Treatment can be found in the ISO 27001 Toolkit.
Yes. A complete guide to the ISO 27001 Clause 6.1.3 risk register can be found here.
A guide to the ISO 27001 risk management policy used by ISO 27001 Clause 6.1.3 is located here.