What is Clause 8.3 in ISO 27001?

Clause 8.3 requires the implementation of the information security risk treatment plan. Organisations must document the results of each treatment action. This process ensures that chosen controls effectively mitigate identified risks. Documentation must reside in internal business-as-usual tools to prove management oversight.

How does an organisation document risk treatment results?

Organisations should document risk treatment results using native document management systems like SharePoint or Jira. Every treatment action requires a record of completion and owner sign-off. This creates a verifiable audit trail. It proves that the organisation actively manages its security obligations.

Why is the Statement of Applicability vital for Clause 8.3?

The Statement of Applicability (SoA) links the risk treatment process to specific Annex A controls. It provides a central record of which controls the organisation uses. The SoA must include justifications for both included and excluded controls. It serves as primary evidence during a certification audit.

ISO 27001 Clause 8.3 Guide: Risk Treatment Plan & Implementation

What is ISO 27001 Clause 8.3 in ISO 27001?

Clause 8.3 mandates the execution of the information security risk treatment plan. It is a documented process. You must integrate this process into business-as-usual tools like SharePoint. It ensures that chosen security controls are implemented correctly. This process tracks the transition from identified risks to treated outcomes.

Auditor’s Eye: The Shortcut Trap

Many organisations rely on automated SaaS platforms to manage risk treatment. These platforms often produce generic “green ticks” without operational depth. This is a common failure mode. Auditors prefer seeing evidence within native document repositories. SharePoint versioning or Jira workflows show real human deliberation. SaaS “Black Boxes” decouple security from daily operations. This lack of ownership frequently leads to major non-conformities during audits.

Requirement	ISO 27001:2013	ISO 27001:2022
Risk Treatment Plan	Clause 6.1.3 required the plan.	Clause 8.3 requires implementation.
Documentation	Retain documented information.	Retain documented information of results.
Owner Approval	Risk owners must approve.	Authority of owners is emphasised.

How to Implement ISO 27001 Clause 8.3 (Step-by-Step)

Implement Clause 8.3 by following the risk treatment plan established during the planning phase. Use your existing organisational tools to track every action. This creates a cultural change: not a software installation. Lead with the core requirement: perform treatment and record results. Follow these steps for an integrated approach.

Step 1: Define Treatment Options

Select treatment options for each identified risk in Confluence.
Document decisions to avoid, modify, share, or retain risks.

Step 2: Formulate Risk Treatment Plan

Create a formal Risk Treatment Plan (RTP) within SharePoint.
Map specific Annex A controls to treated risks.

Step 3: Obtain Owner Approval

Record risk owner acceptance of residual risks using SharePoint versioning.
Verify that owners have the authority to accept these risks.

Step 4: Produce Statement of Applicability

Generate the Statement of Applicability (SoA) as a controlled document.
Justify exclusions of any Annex A controls clearly.

ISO 27001 Clause 8.3 Information Security Risk Treatment Audit Evidence Checklist

Focus on manual records and meeting minutes. Use internal document versions to prove human oversight and intent. Provide these items for the auditor:

Documented Risk Treatment Plan (RTP) with version history.
Statement of Applicability (SoA) justifying all control decisions.
Minutes from risk treatment workshops held in Confluence.
Signed residual risk acceptance records from risk owners.
Jira tickets showing completion of specific treatment tasks.

Relational Mapping

Clause 8.3 is the operational arm of Clause 6.1. It directly implements the decisions made during risk assessment. It feeds into Clause 9.1 for monitoring and measurement. Furthermore, it determines the content of the Statement of Applicability. Every treatment action must link back to a specific risk owner.

Auditor Interview: Direct Process Management

Question: How does the organisation manage the implementation of risk treatment?

Answer: We use Jira to track the progress of every treatment action.

Question: Where is the record of risk owner approval for residual risks?

Answer: These are stored in our SharePoint Document-Based Management System.

Question: Why did you choose these specific Annex A controls?

Answer: Our SoA details the justification based on our internal risk assessment.

Common Non-Conformities

Non-Conformity	Cause	Auditor Perspective
Automated Complacency	Relying on a SaaS platform’s green tick.	Major NC: No evidence of internal procedural oversight.
Missing Owner Sign-off	Risk owners did not approve residual risks.	Minor NC: Lack of management accountability.
Poor SoA Justification	Generic reasons for excluding Annex A controls.	Minor NC: Inadequate documentation of treatment choices.

Frequently Asked Questions

What is the bottom line for Clause 8.3?

The bottom line is implementing your risk treatment plan. You must document the results of every action. Use native tools like SharePoint to maintain records. This proves the organisation owns the security process. It prevents the decoupling of security from daily business operations.

How does Clause 8.3 differ from Clause 6.1?

Clause 6.1 is about planning and selection. Clause 8.3 is about execution and results. You must prove that you followed your treatment plan. Documented evidence in Jira or SharePoint provides this proof. It shows that security is part of your operations.

How do you justify control exclusions in the SoA?

Justify exclusions by explaining why a control is not applicable. This must be a business-led decision. Record this justification in your version-controlled SoA document. Auditors look for specific reasons rather than generic templates. It demonstrates that you understand your unique risk context.

LA CASA DE CERTIFICACIÓN