ISO 27001 Clause 6.1.3 Information security risk treatment
Information security risk treatment Required activity The organization defines and applies an information security risk treatment process. Implementation Guideline Information security risk treatment is that the overall process of choosing risk treatment options, determining appropriate controls to implement such options, formulating a risk treatment plan and obtaining approval of the Risk treatment plan by the Risk owner(s).All steps of the knowledge security risk treatment process also because the results of its application are retained by the organization as documented information. Information security risk treatment options Risk treatment options are: Avoiding the Risk by deciding to not start or continue with the activity that provides rise to the Risk or by removing the Risk source (e.g. closing an e-commerce portal); Taking additional risk or increasing risk so as to pursue a business opportunity (e.g. opening an e-commerce portal); Modifying the R...