The Ultimate Guide To ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Clause 6.1.3 Information Security Risk Treatment Guide

In this article we lay bare ISO 27001 Clause 6.1.3 Information Security Risk Treatment. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification.

What is ISO 27001 Clause 6.1.3?

 The ISO 27001 standard requires an organisation to select appropriate risk treatment options based on the risk assessment results.

This clause is all about risk treatment.

The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process and to treat those risks appropriately.

It is, after all, a risk based management system. Not a rule based system.

That risk treatment process has to set out risk criteria which are the parameters of your risk management.

Risk Treatment Options

You are expected to select appropriate information security risk treatment options, taking account of the risk assessment results.

Risk treatment options can include

  • accepting the risk
  • treating the risk
  • mitigating the risk
  • transfer the risk
  • avoiding the risk

Risk Controls

Risk controls where required as necessary are identified and the information security risk treatment option(s) is chosen. A great place to identify what those controls are is in the Statement of Applicability ( SOA ). This is the list of ISO 27002 / Annex A controls that apply to you. Of course if you have not defined your Statement of Applicability yet then you can choose directly from the ISO 27002 / Annex A control list.

Of course there may be additional controls that you want to consider but the ISO 27001 standard and the provided list of Annex A controls is designed specifically as a common sense set of controls. It therefore makes perfect sense to you that list of controls as the controls you will use to mitigate risk. It also helps with your ISO 27001 certification by staying on point.

You will compare the controls determined in 6.1.3 above with those in ISO 27001 Annex A and verify that no necessary controls have been omitted.

Statement of Applicability (SOA)

It is down to you to produce a Statement of Applicability that contains the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.

As mentioned the Statement of Applicability is not a particular difficult or complex document. Moreover it is just a list of controls with a date they were assessed and if they are not applicable why not. Don’t over think it.

Risk Treatment Plan

Once you have decided on what your risk treatment will be then you need a plan to address it.

For risks that you accept you will want to update the risk register and then minute that you accepted the risks at an appropriate Management Review Team Meeting.

For other risks you will formulate a plan. The plan will include what you will do, who will do it, when they will do and a check of the results.

Once the risk treatment has completed you will then risk assess again using the new controls in place. This gives you what is called Residual Risk. All of this is documented in the risk register.

Risk Treatment Approval

Risk owners will approve the risk treatment plan and the acceptance of the residual information security risks. This will also be shared at the next Management Review Team meeting and agreed and minuted.

ISO 27001 Clause 6.1.3 Templates

ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 6.1.3.

Risk Register Template
Risk Register Template
Risk Management Policy Template
Risk Management Policy Template
Risk Management Process Template
Risk Management Process template.

ISO 27001 Clause 6.1.3 FAQ

What is ISO 27001 6.1.3 Information Security Risk Treatment ?

The ISO 27001 standard requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria.

Where can I download ISO 27001 Clause 6.1.3 Information Security Risk Treatment templates?

You can download ISO 27001 6.1.3 Information Security Risk Treatment templates here:

ISO 27001 Clause 6.1.3 Information Security Risk Treatment templates example

An example of Clause 6.1.3 Information Security Risk Treatment can be found here:

Is there an ISO 27001 6.1.3 risk register?

Yes. A complete guide to the ISO 27001 Clause 6.1.3 risk register can be found here:

Is there a guide to the risk management policy used in ISO 27001 Clause 6.1.3?

A guide to the ISO 27001 risk management policy used by ISO 27001 Clause 6.1.3 is located here:

ISO 27001 Certification Requirements

See Also


ISO/IEC 27001 Information Security Management

ISO 27001 Strategy Session
ISO 27001 ISO 27001 Toolkit
ISO 27001 Policy Bundle

ISO 27001 Templates Toolkit: Business Edition

ISO 27001 Policy Templates: Professional Edition

Stuart Barker

About the Author

Stuart Barker

Stuart is an ISO 27001 Consultant and author of the ISO 27001 Templates Toolkit. Over 20 years he has helped hundreds of organisations with the ISO 27001 standard and getting them ISO 27001 certification with a 100% success rate.

Shopping Cart