ISO 27001 Clause 8.3

ISO 27001 Clause 8.3 Information Security Risk Treatment

Information security risk treatment is how you choose and put in place security measures to lower the chance and impact of information security risks. It’s a key part of any information security management system (ISMS) and is required by the ISO 27001 standard.

Clause 8.3 of ISO 27001 says that organisations need to put their information security risk treatment plan into action and keep written records of what happened as a result of that risk treatment.

This means that organisations must have a plan for how they will deal with the risks they’ve found, and they need to keep records of how they’ve put that plan into practice.

Here are some of the things involved in requirement 8.3:

  • Finding and assessing risks.
  • Creating and putting in place plans to handle risks.
  • Watching and checking how well the risk treatment plans are working.
  • Keeping written information about the results of the risk treatment.

Organisations can use different ways to meet requirement 8.3, such as:

  • Using a risk management plan like ISO 27005.
  • Using software to help manage risks.
  • Hiring someone to advise on risk management.

What is ISO 27001 Clause 8.3?

The organisation shall implement the information security risk treatment plan.

The organisation shall retain documented information of the results of the information security risk treatment.

ISO 27001:2022 Clause 8.3 Information Security Risk Treatment

What is the information risk treatment plan?

An information risk treatment plan (IRTP) is a document that explains how an organisation will handle and deal with the information security risks it has found through its risk assessment process. The IRTP should include:

  • A list of all the risks found, along with how likely they are and how bad their impact could be.
  • A description of the ways the organisation will deal with each risk.
  • A list of the security measures that will be put in place to support these ways of dealing with risk.
  • A schedule for when these security measures will be implemented.
  • A plan for checking and reviewing how well the risk treatment plan is working.

The IRTP should be a document that is updated regularly as the risks the organisation faces change.

What are the four ways to handle risks?

There are several ways to deal with risks, but the most common ones are:

  • Avoidance: This means taking steps to completely get rid of the risk, like deciding not to use a certain technology or process.
  • Mitigation: This means taking steps to make the risk less likely to happen or less harmful if it does, like putting security measures in place.
  • Acceptance: This means acknowledging the risk and deciding not to do anything about it.
  • Transfer: This means passing the risk on to someone else, like an insurance company.

The best way to handle a specific risk will depend on a few things, including how likely the risk is, how bad the impact could be, how much different security measures cost and how well they work, and how much risk the organisation is willing to take.

How to put information security risk treatment into action

To put an information security risk treatment plan in place, organisations should follow a risk management process.

  • Find risks: The first step is to find all the information security risks that the organisation faces. You can do this in different ways, such as risk assessments, threat modelling, and checking for weaknesses.
  • Assess risks: Once you’ve found the risks, you need to assess how likely they are and how bad the impact could be. You can then use this information to decide which risks are most important and choose the best ways to handle them.
  • Treat risks: After you’ve chosen how to handle the risks, you need to put those plans into action. This might mean putting new security measures in place, updating the ones you already have, or changing how you do things.
  • Watch and review risks: Managing risk is something that continues over time. You should regularly watch and review risks to make sure they are being handled effectively.

The ISO 27001 standard says that organisations must have a risk treatment plan to deal with the information security risks they found during the risk assessment process.

The risk treatment plan should list the risks, explain how the organisation will handle them, and describe the security measures that will be used to support these actions.

The risk treatment plan is important for getting ISO 27001 certification because it shows the auditor that the organisation has a plan to manage its information security risks. The auditor will look at the risk treatment plan to see if it covers everything and is suitable for the organisation’s risks.

The good things about having an information risk treatment plan

Besides being needed for ISO 27001 certification, a risk treatment plan has several other advantages, such as:

  • Lower chance of information security problems: An information risk treatment plan helps organisations find and handle their information security risks effectively. This can help reduce how likely and how bad information security problems are, like data leaks, malware attacks, and denial-of-service attacks.
  • Easier to follow rules: Many laws and regulations require organisations to have an information risk treatment plan. Having a plan can help organisations show to these authorities that they are taking steps to protect their important information.
  • Customers trust you more: Customers are more likely to do business with organisations they believe will keep their data safe. Having an information risk treatment plan can help organisations show customers that they take information security seriously.
  • Lower costs: Information security problems can be very expensive, both in terms of losing money and damaging your reputation. Having an information risk treatment plan can help organisations lower the chance of these problems, which can save a lot of money.
  • Better business continuity: Information security problems can stop business operations and lead to lost income. Having an information risk treatment plan can help organisations improve their business continuity by reducing the risk of these problems.

In addition to these benefits, having an information risk treatment plan can also help organisations to:

  • Make better choices about information security spending: By understanding their risks, organisations can make smarter decisions about where to invest their money in terms of security measures.
  • Improve communication and teamwork: An information risk treatment plan can help different teams within an organisation communicate and work together better. This can lead to a more effective and efficient way of handling information security.
  • Make people more aware of information security risks: An information risk treatment plan can help employees become more aware of information security risks. This can lead to them behaving more responsibly when it comes to information security.

Overall, an information risk treatment plan is a very important tool for any organisation that wants to protect its important information and improve its information security.