ISO 27001 Clause 6.1.3 Information Security Risk Treatment

Home / ISO 27001 Clauses / ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Information Security Risk Treatment

In this article I lay bare ISO 27001 Clause 6.1.3 Information Security Risk Treatment.

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Clause 6.1.3 Information Security Risk Treatment?

The ISO 27001 standard requires an organisation to select appropriate risk treatment options based on the risk assessment results.

This clause is all about risk treatment.

The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process and to treat those risks appropriately.

It is, after all, a risk based management system. Not a rule based system.

That risk treatment process has to set out risk criteria which are the parameters of your risk management.

What are the ISO 27001:2022 Changes to Clause 6.1.3?

The changes to ISO 27001 Clause 6.1.3 are minor but important

  • Changing the wording of 6.1.3 c to now reference Annex A as containing a list of possible information security controls. This is a change from it containing a comprehensive list of control objectives.
  • Removing the wording that control objectives are implicitly included in the controls chosen. Changing from the control objectives listed in Annex A as being not exhaustive with additional controls may being needed to the wording of Information Security Controls listed in Annex. Change the word control objectives to controls.
  • Changing the sentence of 6.1.3 d into a list for ease of reading
  • Changing the words ‘International Standard’ to the word ‘document’

Overall these are clarification changes and not material.

ISO 27001 Clause 6.1.3 Implementation Guide

Risk Treatment Options

You are expected to select appropriate information security risk treatment options, taking account of the risk assessment results.

Risk treatment options can include

  • accepting the risk
  • treating the risk
  • mitigating the risk
  • transfer the risk
  • avoiding the risk

Risk Controls

Risk controls where required as necessary are identified and the information security risk treatment option(s) is chosen. A great place to identify what those controls are is in the Statement of Applicability ( SOA ). This is the list of ISO 27002 / Annex A controls that apply to you. Of course if you have not defined your Statement of Applicability yet then you can choose directly from the ISO 27002 / Annex A control list.

Of course there may be additional controls that you want to consider but the ISO 27001 standard and the provided list of Annex A controls is designed specifically as a common sense set of controls. It therefore makes perfect sense to you that list of controls as the controls you will use to mitigate risk. It also helps with your ISO 27001 certification by staying on point.

You will compare the controls determined in 6.1.3 above with those in ISO 27001 Annex A and verify that no necessary controls have been omitted.

Statement of Applicability (SOA)

It is down to you to produce a Statement of Applicability that contains the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.

As mentioned the Statement of Applicability is not a particular difficult or complex document. Moreover it is just a list of controls with a date they were assessed and if they are not applicable why not. Don’t over think it.

Risk Treatment Plan

Once you have decided on what your risk treatment will be then you need a plan to address it.

For risks that you accept you will want to update the risk register and then minute that you accepted the risks at an appropriate Management Review Team Meeting.

For other risks you will formulate a plan. The plan will include what you will do, who will do it, when they will do and a check of the results.

Once the risk treatment has completed you will then risk assess again using the new controls in place. This gives you what is called Residual Risk. All of this is documented in the risk register.

Risk Treatment Approval

Risk owners will approve the risk treatment plan and the acceptance of the residual information security risks. This will also be shared at the next Management Review Team meeting and agreed and minuted.

ISO 27001 Templates

ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.

Tthese individual templates help meet the specific requirements of ISO 27001 clause 6.1.2.

ISO 27001 Risk Register Template
ISO 27001 Risk Management Policy Template
ISO27001 Risk Management Procedure Template


All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Toolkit Business Edition

ISO 27001 Clause 6.1.3 FAQ

What is ISO 27001 6.1.3 Information Security Risk Treatment ?

The ISO 27001 standard requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria.

Where can I download ISO 27001 Clause 6.1.3 Information Security Risk Treatment templates?

You can download ISO 27001 6.1.3 Information Security Risk Treatment templates in the ISO 27001 Toolkit.

ISO 27001 Clause 6.1.3 Information Security Risk Treatment templates example

An example of Clause 6.1.3 Information Security Risk Treatment can be found in the ISO 27001 Toolkit.

Is there an ISO 27001 6.1.3 risk register?

Yes. A complete guide to the ISO 27001 Clause 6.1.3 risk register can be found here.

Is there a guide to the risk management policy used in ISO 27001 Clause 6.1.3?

A guide to the ISO 27001 risk management policy used by ISO 27001 Clause 6.1.3 is located here.