Information security risk treatment for ISO 27001 Requirement 8.3
What is involved in requirement 8.3?
Section 8 of the ISO 27001 standard deals with the operation of the information security management system as needed to meet information security requirements and to achieve the information security objectives determined in 6.2.
Under Sect. 8.3, the requirement is for the organisation to implement the information security risk treatment plan and retain documented information on the results of that risk treatment. This should include evidence and clear audit trails of reviews and actions.
This requirement is therefore concerned with ensuring that the risk treatment processes described in Sect. 6.1, Actions to address risks and opportunities, are actually taking place.
Meeting the requirement to implement information security risk treatment
To meet the requirements for 8.3 you must be able to evidence that the risk treatment plan described in Sect.6.1 is being implemented.
This must include the evidence behind the treatment. In simple terms ‘treatment’ can be work you are doing internally to control and tolerate the risk, or it could mean steps you are taking to transfer the risk (e.g. to a supplier), or it could be to terminate a risk entirely.
The controls you select to manage the risks must consider, but not be limited to, those described in Annex A of the standard and these will form the backbone the statement of applicability (SoA) which describes all the controls and why they have, or haven’t, been implemented.
How to create a risk treatment and manage your risk treatment process
Risk treatment should be considered alongside risk assessment and ultimately feed into the SoA too.
Typically, organisations find that managing and evidencing risk is the most complex part of ISO 27001. Read our recent article Information Security Risk Management Explained to explore risk management more fully.
It can take weeks, if not months, of work to establish the correct risk assessment methodology and create a way of documenting and capturing the evidence of the complete risk manage management process.
Here is where using the ISMS.online software solution will undoubtedly save weeks of work on the risk management process.
- A template policy for Sect 8. of ISO 27001:2013
- A template policy for 6.1 which includes a comprehensive yet pragmatic approach to risk identification, analysis, and treatment, as well as ongoing monitoring and review
- Simple to use risk management tools, as described in the above policy and methodology, which produce and maintain the treatment plan
- A whole bank of common risks together with suggested Annex A controls to link to
- Workspaces to capture all of the work done, enabling retention of the documented information within the tools and offers links back to the controls and policies used to address the risks and issues
- Dynamically created Statement of Applicability, linking back to the Annex A Controls
- One joined-up place to securely manage the complete ISMS
Discover how you can save time & reduce management resource using ISMS.online to achieve & maintain your ISO 27001 ISMS
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication (read 7.1 – 7.4 here)
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- (read 9.1 – 9.3 here)
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement (read 10.1 – 10.2 here)
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001