ISO 27001 Clause 8.3 Information Security Risk Treatment

Home / ISO 27001 Clauses / ISO 27001 Clause 8.3 Information Security Risk Treatment

The ISO 27001 standard requires an organisation to treat risks and to keep evidence of the results.

In this ultimate guide to ISO 27001:2022 Clause 8.3 Information Security Risk Treatment you will learn

  • What ISO 27001 Clause 8.3 is
  • How to implement implement it

What is ISO 27001 Clause 8.3 ?

ISO 27001 Clause 8.3 is all about risk treatment.

Where we covered the risk treatment planning in ISO 27001 Clause 6.1.3 here we look at the execution.

The ISO 27001 standard for ISO 27001 certification wants you to effectively treat and manage risks.

That risk treatment process has to maintain evidence of the risk treatment which is done by using a risk register.

Definition

The ISO 27001 standard defines ISO 27001:2022 clause 8.3 as:

The organisation shall implement the information security risk treatment plan.
The organisation shall retain documented information of the results of the information security risk treatment.

ISO 27001:2022 Clause 8.3 Information Security Risk Treatment

What are the ISO 27001:2022 Changes to Clause 8.3?

Great news. There are no changes to ISO 27001 Clause 8.3 in the 2022 update.

Implementation Guide

To meet the requirement of ISO 27001 clause 8.3 you must evidence that the risk treatment plan that you described in ISO 27001 Clause 6.1.3 is being implemented. The way that you do this is by having effective risk management in place, using a risk register that includes all of the required controls and includes residual risk and then ensuring that the risk register is shared with, and minuted at, the management review team meeting.

The controls that you selected in the Statement of Applicability are all designed to effectively manage risk.

You ensure that you can tie your risk register and your risk treatment to the controls that you have, including those you choose in the Statement of Applicability.

Risk Treatment Examples

Risk treatment examples include:

  • You can accept the risk. You would hold a management review meeting, get agreement to accept the risk, minute the meeting to document the decision and update the risk register.
  • You could transfer the risk. Whilst you cannot transfer the accountability for a risk you can transfer the treatment of the risk. An example of this would be having insurance in place or outsourcing to a third party.
  • You could mitigate the risk. The level of mitigation may be to reduce but not eliminate the risk or to eliminate the risk. It really depends on the risk appetite of the organisation.

How to conduct an ISO 27001 risk treatment

You use the risk register and sure that you provide an effective risk rating for each risk.

Using your risk treatment plan you will have identified the relevant risk treatment based on risk level.

This can be overridden by the management review team meeting.

For each risk that you identify, once you have identified the risk treatment implement the treatment you have chosen. If this is to either introduce or enhance controls, including those in the Statement of Applicability, follow your continual improvement process.

Once the risk treatment is implemented update the risk register and conduct and audit of the risk again and record the residual risk score.

This is the new risk score based on the new risk treatment.

Ideally the risk score will have gone down.

You would not want to implement a control for a risk that did not positively impact its risk score and go some way to mitigating it.

ISO 27001 Templates

ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 8.3.

ISO 27001 Toolkit

Watch the Tutorial

Watch How To Implement ISO 27001 Clause 8.3 Information Security Risk Treatment

FAQ

What is ISO 27001 Clause 8.3 Information Security Risk Treatment ?

The ISO 27001 standard requires an organisation to perform risk treatment for identified risks and record evidence of the risk treatment.

Where can I download ISO 27001 Clause 8.3 Information Security Risk Treatment ?

You can download ISO 27001 Clause 8.3 Information Security Risk Treatment templates in the ISO 27001 Toolkit.

ISO 27001 Clause 8.3 Information Security Risk Treatment example?

An example of ISO 27001 Clause 8.3 Information Security Risk Treatment can be found in the ISO 27001 Toolkit.

Is there an ISO 27001 Clause 8.3 Information Security Risk Treatment risk register?

Yes. A complete guide to the ISO 27001 Clause 8.3 Information Security Risk Treatment risk register can be found here.

Is there a guide to the risk management policy used in ISO 27001 Clause 8.3?

A guide to the ISO 27001 risk management policy used by ISO 27001 Clause 8.3 is located here.

How do you keep evidence of a risk treatment?

There are several ways to keep and how evidence of a risk assessment:
1. Hold an annual risk review meeting and minute the results
2. Maintain and use a risk register
3. Follow the structure agenda of the management review team meeting which covers risk assessment
4. Include risk assessment as part of your operational processes

How often do you conduct a risk treatment?

At any point that the risk identified is unacceptable and needs to be addressed

How do you conduct an ISO 27001 risk treatment?

Read the complete guide to ISO 27001 risk assessment here.

Further Reading

For more on planning for risk assessment be sure to read: ISO 27001 Clause 6.12 Information security risk assessment Guide

For more on planning for risk treatment be sure to read: ISO 27001 Clause 6.1.3 Information Security Risk Treatment Guide

ISO 27001 Toolkit Business Edition
Do it Yourself ISO 27001 with LIVE EXPERT SUPPORT

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing