ISO 27001 Clause 8.3 is about putting your security plans into action. After you find risks to your information, you need a plan to deal with them. This part of the rule says you must act on that plan. You also must keep records of what you did.
What is ISO 27001 Clause ISO 27001 Clause 8.3 Information Security Risk Treatment?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Information Security Risk Treatment”.
What is the ISO 27001 Clause 8.3 control objective?
The formal definition and control objective in the standard is: “The organisation shall implement the information security risk treatment plan. The organisation shall retain documented information of the results of the information security risk treatment.“
What is the purpose of ISO 27001 Clause 8.3?
The purpose of ISO 27001 Clause 8.3 is “ISO 27001 clause 8.3 addresses executing Information Security Risk Treatment. Building upon the risk treatment planning covered in clause 6.1.3, this section focuses on putting those plans into action. For ISO 27001 certification, the standard mandates the effective treatment and management of identified risks. This process requires documented evidence of the risk treatment activities, typically maintained within the risk register.“
Is ISO 27001 Clause 8.3 Mandatory?
ISO 27001 Clause 8.3 (Information Security Risk Treatment in the 2022 standard) is a mandatory clause in the main body of the standard.
How to Treat Risks
There are a few ways to handle a risk:
- Make it better: You can use controls to lessen the risk.
- Share it: You can pass the risk to another group, like an insurance company.
- Stop it: You can end the action that causes the risk.
- Accept it: You can choose to live with the risk.
Putting Your Plan into Action
To meet this rule, you must be able to show that you are using your plan. This includes having proof of what you did. For example, you should show how you checked and fixed things. This helps you and an auditor feel sure that your plans are working.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will:
- Check for proof that your plans are being used.
- Look at how you decided to handle each risk.
- Want to see that you are using the right controls.
- Check to see if you have enough money and staff to do the work.
