# Risk assessment and treatment at two levels in ISO 27001 Risk assessment and risk treatment are discussed both in Chapter 6 and in Chapter 8. What is the difference? The relationship between , (Information security risk assessment), and (Information security risk treatment) hinges on their roles within the Information Security Management System (ISMS) framework defined by ISO/IEC 27001:2022. In essence, Clauses [6.1.2](../../ISMS/Qualifying%20vs%20quantifying%20risks.md) and [6.1.3](../../MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md) (Information security risk assessment and risk treatment) define the _processes_ and _criteria_ for risk management within the planning stage, while Clauses [8.2](../../MoCs/ISO_27001_2022_8.2_MoC%20Information%20security%20risk%20assessment.md) and [8.3](../../MoCs/ISO_27001_2022_8.3_MoC%20Information%20security%20risk%20treatment.md) define the _operational execution_ and _timing_ for applying those established processes. ### 1. Risk Processes Defined (Planning: Clause 6) Clauses 6.1.2 and 6.1.3, located within the **Planning (Clause 6)** section of the ISO/IEC 27001 requirements, establish the foundational framework and repeatable methodology for how the organization approaches risk management: - **6.1.2 Information security risk assessment:** This clause mandates the **definition and application** of a risk assessment process. This process includes: - Establishing and maintaining risk criteria, including risk acceptance criteria. - Ensuring that repeated assessments produce consistent, valid, and comparable results. - Identifying, analyzing, and evaluating information security risks associated with the loss of confidentiality, integrity, and availability within the scope of the ISMS, and determining risk owners. - The organization must **retain documented information** about this defined risk assessment process. - **6.1.3 Information security risk treatment:** This clause mandates the **definition and application** of a risk treatment process. This process involves: - Selecting appropriate risk treatment options based on assessment results. - Determining all necessary controls needed to implement the chosen treatment options. - **Comparing** the determined controls against those listed in **Annex A** (which is directly derived from ISO/IEC 27002 controls) to ensure no necessary controls have been omitted. - Producing a **Statement of Applicability (SoA)** detailing the controls chosen, justification for inclusion, implementation status, and justification for excluding any Annex A controls. - Formulating an **Information security risk treatment plan**. - Obtaining approval for the treatment plan and acceptance of residual risks from risk owners. - The organization must **retain documented information** about this defined risk treatment process. - The risk assessment and treatment processes align with the principles and guidelines found in ISO 31000. ### 2. Risk Processes Implemented (Operation: Clause 8) Clauses 8.2 and 8.3, located within the **Operation (Clause 8)** section, describe when and how the processes defined in Clause 6.1.2 and 6.1.3 must be actively performed by the organization. - **8.2 Information security risk assessment:** This clause specifies the **trigger events** for conducting the risk assessment defined earlier in 6.1.2. The organization must perform risk assessments at **planned intervals** or when **significant changes are proposed or occur**. These assessments must follow the criteria established in 6.1.2 a). - The organization is required to retain documented information of the **results** of these operational risk assessments. - **8.3 Information security risk treatment:** This clause specifies the **action** required following the determination of the risk treatment plan (formulated in 6.1.3 e)). The organization must **implement the information security risk treatment plan**. - The organization is required to retain documented information of the **results** of this operational risk treatment. ### Summary of the Relationship |Clause|Section|Focus|Purpose in the ISMS Cycle| |:--|:--|:--|:--| |**6.1.2** (Risk assessment)|Planning|**Defining the Risk Methodology**|Establishes _how_ risk assessment will be performed (criteria, repeatable process, identification, analysis, evaluation).| |**6.1.3** (Risk treatment)|Planning|**Defining the Treatment Framework**|Establishes _how_ risks will be treated (control selection, comparison with Annex A, SoA creation, plan formulation, residual risk acceptance).| |**8.2** (Risk assessment)|Operation|**Executing the Assessment**|Defines _when_ the defined risk assessment process (6.1.2) must be carried out (planned intervals or significant changes).| |**8.3** (Risk treatment)|Operation|**Executing the Treatment**|Requires the organization to _implement_ the risk treatment plan formulated during the planning stage (6.1.3).|