ISO 27001:2022 Clause 6.1.3: Information Security Risk Treatment

ISO27001-2022 Clause 6.1.3 Information Security Risk Treatment

The Definitive Governance Requirement.

Clause 6.1.3 mandates that you formulate and implement a strategic plan to address the risks identified in your assessment. It requires you to define and execute the controls necessary to reduce risk to an acceptable level. This is where analysis ends and action begins.

The Mandate

Finding a risk is useless if you do not act on it. The standard requires a formal decision-making process for every risk that exceeds your acceptance criteria.

You must:

  1. Select an Option: Decide how to handle the risk (Treat, Accept, Avoid, or Transfer).
  2. Determine Controls: Select the necessary controls (often from Annex A) to implement the treatment option.
  3. Produce the SoA: Compare your selected controls against Annex A to create the Statement of Applicability.
  4. Approve: The Risk Owners must formally accept the residual risk (the risk remaining after treatment).

The Verdict: The Statement of Applicability (SoA) produced here is the most important document in your entire certification. It is the contract between you and the auditor.

The Implementation Strategy

Do not default to “fixing” everything. That is how you bankrupt an IT department. You have four strategic levers:

  1. Mitigate (Treat): Apply controls (e.g., Install Antivirus) to reduce Likelihood or Impact.
  2. Transfer (Share): Shift the liability to a third party (e.g., Cyber Insurance or outsourcing to a secure vendor).
  3. Avoid (Terminate): Stop the activity entirely (e.g., “We will simply stop storing credit card data”).
  4. Accept (Tolerate): Acknowledge the risk and do nothing. Note: This requires formal sign-off from senior leadership. You cannot accept a critical risk casually.

The Statement of Applicability (SoA): You must list every control in Annex A (5.1 to 8.34). For each, you must state: “Applicable” or “Not Applicable.” If applicable, explain why (e.g., “Required to mitigate Risk #42”). If not applicable, justify the exclusion.

The Auditor’s Trap

[The Auditor’s View] The most common Major Non-Conformance here is “The Unauthorized Acceptance.” I often see a Risk Treatment Plan where a ‘High Risk’ is marked as ‘Accept’ because the IT Manager didn’t have the budget to fix it. Unless the actual Risk Owner (often the CEO or Dept Head) has signed a document accepting that residual risk, you are non-compliant. The IT Manager cannot accept business risk.

Required Evidence

The paper trail here must be absolute.

  • Risk Treatment Plan (RTP): A project management document detailing who will do what, by when, to treat the risks.
  • The Statement of Applicability (SoA): The definitive list of included and excluded controls.
  • Risk Treatment Methodology: Evidence that you applied a consistent logic to your decisions.
  • Residual Risk Acceptance Records: Signatures from Risk Owners accepting the final state.

Strategic Acceleration

Creating an RTP and SoA from scratch involves mapping hundreds of variables. It is a manual process prone to human error.

The Hightable™ Risk Treatment Framework automates the linkage. It connects your Risk Assessment directly to the SoA, ensuring that if you select a control to fix a risk, it automatically populates your Statement of Applicability.

The Next Move: Deploy the Risk Treatment Framework