ISO 27001 Clause 6.1.3 Information Security Risk Treatment

Home / ISO 27001 Clauses / ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Information Security Risk Treatment

The ISO 27001 standard is a risk based management system that requires an organisation to select appropriate risk treatment options based on the risk assessment results.

What is ISO 27001 Clause 6.1.3 ?

This clause is all about risk treatment.

The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process and to treat those risks appropriately.

It is, after all, a risk based management system. Not a rule based system.

That risk treatment process has to set out risk criteria which are the parameters of your risk management.

Definition

The organization shall define and apply an information security risk treatment process to:

select appropriate information security risk treatment options, taking account of the risk
assessment results;

determine all controls that are necessary to implement the information security risk treatment
option(s) chosen;

compare the controls determined with those in Annex A and verify that no necessary controls have been omitted;

produce a Statement of Applicability that contains
the necessary controls
justification for their inclusion;
whether the necessary controls are implemented or not; and
the justification for excluding any of the Annex A controls.

formulate an information security risk treatment plan; and

obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.

The organization The organization shall retain documented information about the information security risk treatment
process.

What are the ISO 27001:2022 Changes to Clause 6.1.3?

The changes to ISO 27001 Clause 6.1.3 are minor but important

  • Changing the wording of 6.1.3 c to now reference Annex A as containing a list of possible information security controls. This is a change from it containing a comprehensive list of control objectives.
  • Removing the wording that control objectives are implicitly included in the controls chosen. Changing from the control objectives listed in Annex A as being not exhaustive with additional controls may being needed to the wording of Information Security Controls listed in Annex. Change the word control objectives to controls.
  • Changing the sentence of 6.1.3 d into a list for ease of reading
  • Changing the words ‘International Standard’ to the word ‘document’

Overall these are clarification changes and not material.

ISO 27001 Toolkit

Implementation Guide

Risk Treatment Options

You are expected to select appropriate information security risk treatment options, taking account of the risk assessment results.

Risk treatment options can include

  • accepting the risk
  • treating the risk
  • mitigating the risk
  • transfer the risk
  • avoiding the risk

Risk Controls

Risk controls where required as necessary are identified and the information security risk treatment option(s) is chosen. A great place to identify what those controls are is in the Statement of Applicability ( SOA ). This is the list of ISO 27002 / Annex A controls that apply to you. Of course if you have not defined your Statement of Applicability yet then you can choose directly from the ISO 27002 / Annex A control list.

Of course there may be additional controls that you want to consider but the ISO 27001 standard and the provided list of Annex A controls is designed specifically as a common sense set of controls. It therefore makes perfect sense to you that list of controls as the controls you will use to mitigate risk. It also helps with your ISO 27001 certification by staying on point.

You will compare the controls determined in 6.1.3 above with those in ISO 27001 Annex A and verify that no necessary controls have been omitted.

Statement of Applicability (SOA)

It is down to you to produce a Statement of Applicability that contains the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.

As mentioned the Statement of Applicability is not a particular difficult or complex document. Moreover it is just a list of controls with a date they were assessed and if they are not applicable why not. Don’t over think it.

Risk Treatment Plan

Once you have decided on what your risk treatment will be then you need a plan to address it.

For risks that you accept you will want to update the risk register and then minute that you accepted the risks at an appropriate Management Review Team Meeting.

For other risks you will formulate a plan. The plan will include what you will do, who will do it, when they will do and a check of the results.

Once the risk treatment has completed you will then risk assess again using the new controls in place. This gives you what is called Residual Risk. All of this is documented in the risk register.

Risk Treatment Approval

Risk owners will approve the risk treatment plan and the acceptance of the residual information security risks. This will also be shared at the next Management Review Team meeting and agreed and minuted.

Implementation Checklist

Information Security Risk Treatment ISO 27001 Clause 6.1.3 Implementation Checklist

Identify Risk Treatment Options

Determine appropriate actions to address identified risks, including risk modification (mitigation), risk transfer, risk avoidance, or risk acceptance.

Challenge:

Choosing the most cost-effective and appropriate treatment option for each risk. Difficulty in assessing the feasibility of different options.

Solution:

Conduct a cost-benefit analysis for each option. Consider the organisation’s risk appetite and business objectives. Involve relevant interested parties in the decision-making process.

Select Risk Treatment Options

Choose the most suitable risk treatment option for each identified risk, considering factors such as cost, feasibility, effectiveness, and organisational context.

Challenge:

Balancing security needs with business requirements. Difficulty in prioritising competing risk treatment options.

Solution:

Establish clear criteria for selecting risk treatment options. Prioritise treatments based on risk level and business impact. Document the rationale behind the chosen treatment options.

Prepare a Risk Treatment Plan

Develop a detailed plan for implementing the chosen risk treatment options, including specific actions, responsible parties, timelines, and resources.

Challenge:

Difficulty in defining clear and measurable actions. Lack of resources or expertise to implement the plan.

Solution:

Break down complex treatments into smaller, manageable tasks. Assign clear responsibilities and deadlines. Secure necessary resources and expertise.

Implement the Risk Treatment Plan

Execute the planned actions to implement the chosen risk treatment options.

Challenge:

Resistance to change from employees. Difficulty in coordinating implementation activities across different departments.

Solution:

Communicate the importance of risk treatment to employees. Provide training and support. Establish clear communication channels and project management processes.

Monitor and Review Risk Treatments

Regularly monitor the effectiveness of implemented risk treatments to ensure they are achieving their intended objectives.

Challenge:

Difficulty in measuring the effectiveness of some treatments. Lack of clear performance indicators.

Solution:

Define clear metrics for measuring the effectiveness of each treatment. Regularly review performance data and conduct security assessments.

Document Risk Treatment Decisions

Maintain records of risk treatment decisions, including the chosen options, rationale, implementation plans, and monitoring results.

Challenge:

Difficulty in keeping documentation up-to-date. Lack of integration with other ISMS processes.

Solution:

Use a centralised risk management system. Regularly review and update documentation. Integrate risk treatment documentation with other ISMS processes.

Communicate Risk Treatment Information

Communicate risk treatment information to relevant interested parties, including management, employees, and external parties.

Challenge:

Difficulty in communicating complex technical information to non-technical audiences. Lack of interested parties engagement.

Solution:

Tailor communication to the audience. Use visual aids and plain language. Actively solicit feedback from interested parties.

Accept Residual Risks

Acknowledge and formally accept any residual risks that remain after implementing risk treatments.

Challenge: Difficulty in determining the acceptable level of residual risk. Lack of management buy-in for accepting certain risks.

Solution:

Establish clear risk acceptance criteria. Obtain management approval for accepted residual risks. Document the rationale for accepting residual risks.

Maintain and Update Risk Treatments

Regularly review and update risk treatments to reflect changes in the threat landscape, vulnerabilities, and business environment.

Challenge:

Difficulty in keeping risk treatments up-to-date. Lack of resources for regular reviews.

Solution:

Establish a schedule for regular risk treatment reviews. Assign responsibility for maintaining risk treatments. Integrate risk treatment reviews with other ISMS processes, such as change management.

Continuously Improve Risk Treatment Processes

Identify opportunities to improve the effectiveness and efficiency of risk treatment processes.

Challenge:

Lack of resources or time for process improvement initiatives. Difficulty in measuring the impact of process improvements.

Solution:

Prioritise process improvement initiatives based on their potential impact. Allocate resources and time for process improvement activities. Establish metrics for measuring the effectiveness of process improvements.

Audit Checklist

The following is a summary of How to audit ISO 27001 Clause 6.1 and covers the Information Security Risk Treatment ISO 27001 Clause 6.1.3 Audit Checklist

Review Risk Treatment Options Identification

Verify that the organization has a process for identifying appropriate risk treatment options (modification, transfer, avoidance, acceptance).

Audit Techniques: Document review (policies, procedures), interviews with risk management personnel, review of past risk treatment decisions and their rationale, walkthrough of a risk treatment identification process.

Assess Risk Treatment Selection

Ensure the organization has criteria for selecting risk treatment options, considering factors like cost, feasibility, and business objectives.

Audit Techniques: Document review (risk acceptance criteria, cost-benefit analysis templates), interviews with decision-makers, examination of selected risk treatments and their justification, analysis of resource allocation for different treatments.

Examine Risk Treatment Plans

Verify the existence and completeness of risk treatment plans, including specific actions, responsibilities, timelines, and resources.

Audit Techniques: Document review (risk treatment plans, project plans), interviews with project managers and responsible parties, review of resource allocation documentation, walkthrough of a risk treatment plan.

Evaluate Risk Treatment Implementation

Confirm that risk treatment plans have been implemented as documented.

Audit Techniques: Document review (implementation records, change management logs, training records), observation of processes, interviews with staff, testing of implemented controls (e.g., penetration testing for technical controls).

Assess Monitoring and Review of Risk Treatments

Verify the organization monitors the effectiveness of implemented risk treatments and reviews them regularly.

Audit Techniques: Review of performance data (e.g., incident rates, vulnerability scan results), interviews with staff responsible for monitoring, review of management review outputs, examination of risk treatment review records.

Examine Risk Treatment Documentation

Inspect records of risk treatment decisions, chosen options, rationale, implementation plans, and monitoring results for completeness and accuracy.

Audit Techniques: Document review (risk register, risk treatment reports), data analysis (trends in risk treatment effectiveness), sampling of risk treatment records for detailed review, interviews with risk owners.

Evaluate Communication of Risk Treatment Information

Verify that risk treatment information is communicated to relevant stakeholders.

Audit Techniques: Interviews with stakeholders, review of communication logs and meeting minutes, analysis of communication effectiveness surveys, review of stakeholder feedback mechanisms.

Assess Acceptance of Residual Risks

Confirm that residual risks (risks remaining after treatment) are formally accepted by management.

Audit Techniques: Review of risk acceptance documentation, interviews with management, examination of residual risk levels and their justification, review of risk acceptance criteria.

Evaluate Maintenance and Update of Risk Treatments

Verify that risk treatments are regularly reviewed and updated to reflect changes in the threat landscape, vulnerabilities, and business environment.

Audit Techniques: Review of risk treatment update schedule, interviews with risk management personnel, review of change management records, analysis of how new threats and vulnerabilities are incorporated into risk treatment reviews.

Assess Continuous Improvement of Risk Treatment Processes

Verify that the organization seeks opportunities to improve the effectiveness and efficiency of its risk treatment processes.

Audit Techniques: Interviews with risk management personnel, review of process improvement initiatives, analysis of metrics related to risk treatment effectiveness, benchmarking against industry best practices.

ISO 27001 Templates

Implementing ISO 27001 can be a significant undertaking and incur significant ISO 27001 Costs. To streamline the process and potentially save valuable time and resources, consider utilising pre-written ISO 27001 templates. This ISO 27001 Toolkit offers a comprehensive set of resources specifically designed for those seeking to achieve ISO 27001 certification independently. With this toolkit, you can potentially build your Information Security Management System (ISMS) within a week and be ready for certification within 30 days.

These individual templates help meet the specific requirements of ISO 27001 clause 6.1.3.

FAQ

What is ISO 27001 6.1.3 Information Security Risk Treatment ?

The ISO 27001 standard requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria.

Where can I download ISO 27001 Clause 6.1.3 Information Security Risk Treatment templates?

You can download ISO 27001 6.1.3 Information Security Risk Treatment templates in the ISO 27001 Toolkit.

ISO 27001 Clause 6.1.3 Information Security Risk Treatment templates example

An example of Clause 6.1.3 Information Security Risk Treatment can be found in the ISO 27001 Toolkit.

Is there an ISO 27001 6.1.3 risk register?

Yes. A complete guide to the ISO 27001 Clause 6.1.3 risk register can be found here.

Is there a guide to the risk management policy used in ISO 27001 Clause 6.1.3?

A guide to the ISO 27001 risk management policy used by ISO 27001 Clause 6.1.3 is located here.

Further Reading

How to audit ISO 27001 Clause 6.1

ISO 27001 Toolkit

Stop Spanking £10,000s on consultants and ISMS online-tools

Share to...