Clause 8.3 of ISO 27001:2022 is crucial because it addresses how organizations should ***respond ***to the information security risks identified in the risk assessment (in clause 8.2).

The clause stresses the importance of dealing with these risks effectively and consistently with the risk treatment method defined in clause 6.1.3.

To refresh our memory, in clause 6.1.3 we defined our risk analysis method and the way we wanted to deal with these risks. So the how we’re going to do it has been documented.

Clause 8.2 asked us to carry out a risk analysis. We now know what our risks are.

Clause 8.3 asks us to deal with risks!

Photo by Christian Buehner on Unsplash

Context of clause 8.3 – Continuity

Clause 8.3 follows on from clauses 6.1 and 8.2 of ISO27001:2022.

Clause 6.1 – Method documentation

According to clause 6.1.3, each organization must establish and maintain criteria for assessing information security risks.

These criteria must include risk identification, analysis and assessment.

Clause 8.2 – Identifying risks

Clause 8.2 requires an information security risk assessment. This assessment must identify the risks, analyze them and evaluate them according to the criteria set out in 6.2. Once these risks have been identified, clause 8.3 takes over the task of dealing with them.

Clause 8.3 – Risk management strategy

Once risks have been identified, clause 8.3 requires the organization to respond to these risks in a pre-agreed way. This means that the actions to be taken in response to the risks must be planned and agreed when the risk treatment method is established.

These actions may include risk acceptance, avoidance, transfer or reduction.

Acceptance: Accepting risk means recognizing that a specific risk exists, but deciding not to take immediate corrective action to mitigate or eliminate it. This does not mean ignoring the risk, but rather making an informed decision that the costs, efforts, or impacts on the business of mitigating the risk are greater than the consequences of the risk itself.

Transfer: Transferring risk involves shifting the responsibility and potential consequences of a risk to a third party. This approach is often used for risks that cannot be fully eliminated or cost-effectively mitigated by the organization itself. Examples include the use of insurance, third-party contracts or outsourcing portions of our organization.

Risk reduction: Risk reduction refers to actions or measures taken to reduce the probability of occurrence or the impact of an event, or both!

Avoidance or elimination: Risk avoidance means choosing not to engage in the activity or process that generates the risk, or significantly modifying the conditions so that the risk no longer exists.

The notion of residual risk

Although we have addressed our risks and implemented measures, the notion of “residual risk” is central to risk management, since it is impossible to eliminate all risks.

Residual risk refers to the level of risk that remains after all risk management measures have been implemented. In other words, it is the risk that remains once all the actions planned to mitigate or eliminate the initial risks have been implemented.

Create a risk register

In concrete terms, the organization must have a register of its risks.

This is a document that describes how the organization intends to manage and deal with the risks identified in clause 8.2, and the follow-up treatment required by clause 8.3.

The register should include the following elements:

  • List of identified risks, with probability and impact;
  • A description of the risk treatment strategies that will be used to deal with each risk (accept, reduce, transfer or eliminate);
  • A list of the controls that will be implemented once the risk has been dealt with, usually linked to the “Declaration of applicability” file, which lists all the information security controls in Appendix A of the standard;
  • Dates for implementing controls;
  • What is the plan for monitoring and reviewing the effectiveness of the risk treatment plan?
  • The level of residual risk;
  • The owner of the risk;
  • Formal acceptance of residual risks.

Information retention

One of the noted aspects of clause 8.3 is the need to keep documented information on risk treatment.

This means that the organization needs to keep track of the decisions it makes regarding risk treatment, and the reasons behind these decisions.

This documentation helps ensure the transparency of the process and facilitates future revisions of the risk management strategy.

Success criteria

To meet the requirements of 8.3, you must be able to demonstrate that the risk treatment plan described in clause 6.1 has been implemented.

And to determine whether we’ve met clause 8.3 of ISO27001:2022, here are some questions an auditor might ask:

  • What risk management measures have been put in place?
  • What controls has the organization implemented in response to the risks identified?
  • How are these controls monitored to ensure their ongoing effectiveness?
  • Have the actions following risk treatment been implemented?
  • Are the actions following risk management reviewed and updated regularly?

I invite you to click on “Follow” to continue learning more about the field of information security.