richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Vault restructure

Browse source
This commit is contained in:
Richard Kranendonk 2026-04-23 11:51:51 +02:00
parent d45797d121
commit ff77508bd1
1433 changed files with 415450 additions and 1201 deletions
Download patch file Download diff file Expand all files Collapse all files

51
Corpus/Standards/ISO27x/Risk Treatment in ISO 27001.md Normal file
View file

@ -0,0 +1,51 @@
# Risk Treatment in ISO 27001
Based on the ISO 27000 series (specifically ISO 27000 for definitions/overview and ISO 27001 for requirements), the standards outline four primary options for treating information security risks.
### 1. Options for Risk Treatment
According to ISO 27000, which provides the overview and vocabulary for the ISO 27001 standard, a risk treatment decision involves selecting one of the following options[^1][^2]:
* **Risk Reduction (Applying Controls):** This involves modifying the risk by applying appropriate information security controls to reduce the likelihood or consequences of an incident[^1][^2].
* **Risk Retention (Acceptance):** This option involves knowingly and objectively accepting the risk, provided it satisfies the organization's policy and criteria for risk acceptance[^2][^3]. This is an informed decision to take a particular risk, which may occur without treatment or after treatment controls have been applied (residual risk)[^4].
* **Risk Avoidance:** This involves deciding not to start or continue with the activity that gives rise to the risk, thereby avoiding the risk entirely.
* **Risk Sharing:** This involves sharing the associated risk with other parties, such as through insurance contracts or by working with suppliers.
### 2. The Risk Treatment Process in ISO 27001
ISO 27001 specifies the requirements for applying these options within an Information Security Management System (ISMS). When planning risk treatment, an organization must define and apply a process that includes the following steps:
* **Select Options:** Select appropriate risk treatment options based on the results of the risk assessment[^5].
* **Determine Controls:** Determine the necessary controls to implement the chosen treatment options. Organizations can design these controls themselves or identify them from any source[^6].
* **Compare with Annex A:** Compare the determined controls against the list of possible information security controls found in **Annex A** of ISO 27001 to ensure no necessary controls have been overlooked.
* **Produce a Statement of Applicability (SoA):** This document must list the necessary controls, justify their inclusion, state whether they are implemented, and justify the exclusion of any Annex A controls[^7].
* **Formulate a Plan:** Create an information security risk treatment plan[^8].
* **Obtain Approval:** The risk owners must approve the risk treatment plan and accept the residual information security risks (the risk remaining after treatment).
### 3. Implementing Controls (Risk Reduction)
If the decision is to reduce risk by applying controls, ISO 27001 and ISO 27002 provide a comprehensive reference set. ISO 27001 Annex A lists controls derived from ISO 27002, organized into four themes:
* **Organizational controls** (e.g., policies, return of assets).
* **People controls** (e.g., screening, remote working).
* **Physical controls** (e.g., physical security perimeters, clear desk policy).
* **Technological controls** (e.g., protection against malware, data leakage prevention).
### Analogy
To visualize these options, imagine you are managing the risk of a car accident:
* **Reduction:** You drive a car with advanced brakes and airbags (applying controls).
* **Avoidance:** You decide to walk instead of drive (eliminating the activity causing the risk).
* **Sharing:** You purchase auto insurance so the financial burden is shared with the insurer.
* **Retention:** You understand that despite your safe driving and insurance, a minor scratch might still happen, and you are willing to accept that possibility.
[^1]: ISO/IEC 27000:2018 3.72 risk treatment process (3.54) to modify risk (3.61), Note 1 to entry
[^2]: ISO/IEC 27000:2018 4.5.4 Treating information security risks
[^3]: ISO/IEC 27000:2018 3.57 residual risk risk (3.61) remaining after risk treatment (3.72)
[^4]: ISO/IEC 27000:2018 3.62 risk acceptance informed decision to take a particular risk (3.61) Note 1 to entry: Risk acceptance can occur without risk treatment (3.72) or during the process (3.54) of risk treatment.
[^5]: ISO/IEC 27001:2022(E) 6.1.2 Information security risk assessment
[^6]: ISO/IEC 27001:2022(E) 6.1.3 Information security risk treatment
[^7]: ISO/IEC 27001:2022(E) 6.1.3 Information security risk treatment Note 3
[^8]: ISO/IEC 27001:2022(E) 6.1.3 Information security risk treatment e) and f)