In this article I lay bare ISO 27001 Clause 6.1.3 Information Security Risk Treatment.
Using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I am going to show you what’s new, give you templates, show you examples and do a walkthrough.
In this ISO 27001 certification guide I show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001:2022 Clause 6.1.3
Table of contents
- What is ISO 27001:2022 Clause 6.1.3 Information Security Risk Treatment?
- What are the ISO 27001:2022 Changes to Clause 6.1.3?
- Risk Treatment Options
- Risk Controls
- Statement of Applicability (SOA)
- Risk Treatment Plan
- Risk Treatment Approval
- ISO 27001 Clause 6.1.3 Templates
- ISO 27001 Clause 6.1.3 FAQ
What is ISO 27001:2022 Clause 6.1.3 Information Security Risk Treatment?
The ISO 27001 standard requires an organisation to select appropriate risk treatment options based on the risk assessment results.
This clause is all about risk treatment.
The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process and to treat those risks appropriately.
It is, after all, a risk based management system. Not a rule based system.
That risk treatment process has to set out risk criteria which are the parameters of your risk management.
What are the ISO 27001:2022 Changes to Clause 6.1.3?
The changes to ISO 27001 Clause 6.1.3 are minor but important
- Changing the wording of 6.1.3 c to now reference Annex A as containing a list of possible information security controls. This is a change from it containing a comprehensive list of control objectives.
- Removing the wording that control objectives are implicitly included in the controls chosen. Changing from the control objectives listed in Annex A as being not exhaustive with additional controls may being needed to the wording of Information Security Controls listed in Annex. Change the word control objectives to controls.
- Changing the sentence of 6.1.3 d into a list for ease of reading
- Changing the words ‘International Standard’ to the word ‘document’
Overall these are clarification changes and not material.
Risk Treatment Options
You are expected to select appropriate information security risk treatment options, taking account of the risk assessment results.
Risk treatment options can include
- accepting the risk
- treating the risk
- mitigating the risk
- transfer the risk
- avoiding the risk
Risk controls where required as necessary are identified and the information security risk treatment option(s) is chosen. A great place to identify what those controls are is in the Statement of Applicability ( SOA ). This is the list of ISO 27002 / Annex A controls that apply to you. Of course if you have not defined your Statement of Applicability yet then you can choose directly from the ISO 27002 / Annex A control list.
Of course there may be additional controls that you want to consider but the ISO 27001 standard and the provided list of Annex A controls is designed specifically as a common sense set of controls. It therefore makes perfect sense to you that list of controls as the controls you will use to mitigate risk. It also helps with your ISO 27001 certification by staying on point.
You will compare the controls determined in 6.1.3 above with those in ISO 27001 Annex A and verify that no necessary controls have been omitted.
Statement of Applicability (SOA)
It is down to you to produce a Statement of Applicability that contains the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.
As mentioned the Statement of Applicability is not a particular difficult or complex document. Moreover it is just a list of controls with a date they were assessed and if they are not applicable why not. Don’t over think it.
Risk Treatment Plan
Once you have decided on what your risk treatment will be then you need a plan to address it.
For risks that you accept you will want to update the risk register and then minute that you accepted the risks at an appropriate Management Review Team Meeting.
For other risks you will formulate a plan. The plan will include what you will do, who will do it, when they will do and a check of the results.
Once the risk treatment has completed you will then risk assess again using the new controls in place. This gives you what is called Residual Risk. All of this is documented in the risk register.
Risk Treatment Approval
Risk owners will approve the risk treatment plan and the acceptance of the residual information security risks. This will also be shared at the next Management Review Team meeting and agreed and minuted.
ISO 27001 Clause 6.1.3 Templates
ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 6.1.3.
ISO 27001 Clause 6.1.3 FAQ
The ISO 27001 standard requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria.
You can download ISO 27001 6.1.3 Information Security Risk Treatment templates here: https://hightable.io/product/iso-27001-templates-toolkit/
An example of Clause 6.1.3 Information Security Risk Treatment can be found here: https://hightable.io/product/iso-27001-templates-toolkit/
Yes. A complete guide to the ISO 27001 Clause 6.1.3 risk register can be found here: https://hightable.io/risk-register/
A guide to the ISO 27001 risk management policy used by ISO 27001 Clause 6.1.3 is located here: https://hightable.io/risk-management-policy/
ISO 27001:2022 Certification Requirements
What’s new, ISO 27001 templates, examples and walkthrough for each ISO 27001:2022 Annex A Clause.
- ISO 27001:2022 Clause 4.1 Understanding The Organisation And Its Context
- ISO 27001:2022 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
- ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System
- ISO 27001:2022 Clause 4.4 Information Security Management System (ISMS)
- ISO 27001:2022 Clause 5.1 Leadership And Commitment
- ISO 27001:2022 Clause 5.2 Information Security Policy
- ISO 27001:2022 Clause 5.3 Organisational Roles, Responsibilities And Authorities
- ISO 27001:2022 Clause 6 Planning
- ISO 27001:2022 Clause 6.1.1 Planning General
- ISO 27001:2022 Clause 6.1.2 Information Security Risk Assessment
- ISO 27001:2022 Clause 6.1.3 Information Security Risk Treatment
- ISO 27001:2022 Clause 6.2 Information Security Objectives And Planning To Achieve Them
- ISO 27001:2022 Clause 7.1 Resources
- ISO 27001:2022 Clause 7.2 Competence
- ISO 27001:2022 Clause 7.3 Awareness
- ISO 27001:2022 Clause 7.4 Communication
- ISO 27001:2022 Clause 7.5.1 Documented Information
- ISO 27001:2022 Clause 7.5.2 Creating And Updating Documented Information
- ISO 27001:2022 Clause 7.5.3 Control Of Documented Information
- ISO 27001:2022 Clause 8.1 Operational Planning And Control
- ISO 27001:2022 Clause 8.2 Information Security Risk Assessment
- ISO 27001:2022 Clause 8.3 Information Security Risk Treatment
- ISO 27001:2022 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation
- ISO 27001:2022 Clause 9.2 Internal Audit
- ISO 27001:2022 Clause 9.3 Management Reviews
- ISO 27001:2022 Clause 10.1 Continual Improvement
- ISO 27001:2022 Clause 10.2 Non Conformity and Corrective Action
ISO/IEC 27001 Information Security Management
FREE 30 minute ISO 27001 strategy session.
Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO 27001 certified up to 10x faster and 30x cheaper.