Risk Treatment for ISO 27001

Clause 6.1.3 of the ISO 27001 standard states that organizations shall define and apply an information security risk treatment process. A risk treatment process defines the steps necessary to treat risk, defining appropriate information risk treatment options, taking into account the results of the risk assessment. The risk treatment plan should include defining who is responsible for determining the treatment options and defining who will implement the controls. What processes will be used to determine the efficacy of the proposed controls for treating risk? The organization can design controls as required or identify them from any source or utilize the controls documented in annex A of the 27001 standard. As part of the plan, the risk owner's approval of the information security risk treatment plan and acceptance of the residual risk should be documented.  

Related Videos