Introduction
In this article we lay bare ISO27001 Clause 8.3 Information Security Risk Treatment. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Clause 8.3
Table of contents
- Introduction
- What is ISO27001 Clause 8.3 Information Security Risk Treatment?
- What are the ISO27001:2022 Changes to Clause 8.3?
- ISO27001 Clause 8.3 Definition
- ISO27001 Clause 8.3 Risk Treatment Examples
- ISO27001 Clause 8.3 Implementation Guide
- How to conduct an ISO27001 risk treatment
- ISO27001 Clause 8.3 Templates
- ISO27001 Clause 8.3 FAQ
- Further Reading
- Reference
What is ISO27001 Clause 8.3 Information Security Risk Treatment?
The ISO27001 standard requires an organisation to treat risks and to keep evidence of the results.
ISO27001 Clause 8.3 is all about risk treatment.
Where we covered the risk treatment planning in ISO27001 Clause 6.1.3 here we look at the execution.
The ISO27001 standard for ISO27001 certification wants you to effectively treat and manage risks.
That risk treatment process has to maintain evidence of the risk treatment which is done by using a risk register.
What are the ISO27001:2022 Changes to Clause 8.3?
Great news. There are no changes to ISO27001 Clause 8.3 in the 2022 update.
ISO27001 Clause 8.3 Definition
The ISO27001 standard defines ISO27001 clause 8.3 as:
The organisation shall implement the information security risk treatment plan.
ISO27001 Clause 8.3 Information Security Risk Treatment
The organisation shall retain documented information of the results of the information security risk treatment.
ISO27001 Clause 8.3 Risk Treatment Examples
Risk treatment examples include:
- You can accept the risk. You would hold a management review meeting, get agreement to accept the risk, minute the meeting to document the decision and update the risk register.
- You could transfer the risk. Whilst you cannot transfer the accountability for a risk you can transfer the treatment of the risk. An example of this would be having insurance in place or outsourcing to a third party.
- You could mitigate the risk. The level of mitigation may be to reduce but not eliminate the risk or to eliminate the risk. It really depends on the risk appetite of the organisation.
ISO27001 Clause 8.3 Implementation Guide
To meet the requirement of ISO27001 clause 8.3 you must evidence that the risk treatment plan that you described in ISO27001 Clause 6.1.3 is being implemented. The way that you do this is by having effective risk management in place, using a risk register that includes all of the required controls and includes residual risk and then ensuring that the risk register is shared with, and minuted at, the management review team meeting.
The controls that you selected in the Statement of Applicability are all designed to effectively manage risk.
You ensure that you can tie your risk register and your risk treatment to the controls that you have, including those you choose in the Statement of Applicability.
How to conduct an ISO27001 risk treatment
You use the risk register and sure that you provide an effective risk rating for each risk.
Using your risk treatment plan you will have identified the relevant risk treatment based on risk level.
This can be overridden by the management review team meeting.
For each risk that you identify, once you have identified the risk treatment implement the treatment you have chosen. If this is to either introduce or enhance controls, including those in the Statement of Applicability, follow your continual improvement process.
Once the risk treatment is implemented update the risk register and conduct and audit of the risk again and record the residual risk score.
This is the new risk score based on the new risk treatment.
Ideally the risk score will have gone down.
You would not want to implement a control for a risk that did not positively impact its risk score and go some way to mitigating it.
ISO27001 Clause 8.3 Templates
ISO27001 templates are a great way to implement your information security management system. Whilst an ISO27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO27001 clause 8.3.
ISO27001 Clause 8.3 FAQ
The ISO27001 standard requires an organisation to perform risk treatment for identified risks and record evidence of the risk treatment.
You can download ISO27001 Clause 8.3 Information Security Risk Treatment templates here: https://hightable.io/product/iso-27001-templates-toolkit/
An example of ISO27001 Clause 8.3 Information Security Risk Treatment can be found here: https://hightable.io/product/iso-27001-templates-toolkit/
Yes. A complete guide to the ISO27001 Clause 8.3 Information Security Risk Treatment risk register can be found here: https://hightable.io/risk-register/
A guide to the ISO27001 risk management policy used by ISO27001 Clause 8.3 is located here: https://hightable.io/risk-management-policy/
There are several ways to keep and how evidence of a risk assessment:
1. Hold an annual risk review meeting and minute the results
2. Maintain and use a risk register
3. Follow the structure agenda of the management review team meeting which covers risk assessment
4. Include risk assessment as part of your operational processes
At any point that the risk identified is unacceptable and needs to be addressed
Read the complete guide to ISO27001 risk assessment here: https://hightable.io/iso-27001-risk-assessment-guide/
ISO 27001:2022 Certification Requirements
What’s new, ISO 27001 templates, examples and walkthrough for each ISO 27001:2022 Annex A Clause.
- ISO 27001:2022 Clause 4.1 Understanding The Organisation And Its Context
- ISO 27001:2022 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
- ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System
- ISO 27001:2022 Clause 4.4 Information Security Management System (ISMS)
- ISO 27001:2022 Clause 5.1 Leadership And Commitment
- ISO 27001:2022 Clause 5.2 Information Security Policy
- ISO 27001:2022 Clause 5.3 Organisational Roles, Responsibilities And Authorities
- ISO 27001:2022 Clause 6 Planning
- ISO 27001:2022 Clause 6.1.1 Planning General
- ISO 27001:2022 Clause 6.1.2 Information Security Risk Assessment
- ISO 27001:2022 Clause 6.1.3 Information Security Risk Treatment
- ISO 27001:2022 Clause 6.2 Information Security Objectives And Planning To Achieve Them
- ISO 27001:2022 Clause 7.1 Resources
- ISO 27001:2022 Clause 7.2 Competence
- ISO 27001:2022 Clause 7.3 Awareness
- ISO 27001:2022 Clause 7.4 Communication
- ISO 27001:2022 Clause 7.5.1 Documented Information
- ISO 27001:2022 Clause 7.5.2 Creating And Updating Documented Information
- ISO 27001:2022 Clause 7.5.3 Control Of Documented Information
- ISO 27001:2022 Clause 8.1 Operational Planning And Control
- ISO 27001:2022 Clause 8.2 Information Security Risk Assessment
- ISO 27001:2022 Clause 8.3 Information Security Risk Treatment
- ISO 27001:2022 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation
- ISO 27001:2022 Clause 9.2 Internal Audit
- ISO 27001:2022 Clause 9.3 Management Reviews
- ISO 27001:2022 Clause 10.1 Continual Improvement
- ISO 27001:2022 Clause 10.2 Non Conformity and Corrective Action
Further Reading
For more on planning for risk assessment be sure to read: ISO27001 Clause 6.1.2 Information security risk assessment Guide
For more on planning for risk treatment be sure to read: ISO27001 Clause 6.1.3 Information Security Risk Treatment Guide