Professional Documents
Culture Documents
XM ISO 27005 - 2022 8. ISRT
XM ISO 27005 - 2022 8. ISRT
XM ISO 27005 - 2022 8. ISRT
Action
Risk Effect of uncertainty on objectives positive / negative
Risk treatment plan (RTP) Output
Process to modify risk
RTP is a plan to modify risk such that it meets the organization’s risk acceptance criteria
voiding the risk by deciding not to start or continue
A
with the activity that gives rise to the risk
a plan to implement the organization’s necessary controls 1. Project plan
Risk treatment Taking or increasing risk in order to pursue an opportunity
t he plan that not only identifies necessary controls but also describes how
2. Design plan Removing the risk source
the controls interact with their environment and each other to modify risks
RTP
can involve: Changing the likelihood
In practice, both can be used
Changing the consequences
nce the controls are in place, the project plan ceases to have any value
O
other than as a historical record, whereas the design plan is still useful. Sharing the risk with another party or parties (including contracts and risk financing)
the rationale for selection of the treatment options, including the Risk transfer is a form of risk sharing
expected benefits to be gained
Risk retention Temporary acceptance of the potential benefit of gain, or burden of loss, from a particular risk
those who are accountable and responsible for
approving and implementing the plan Control Measure that maintains and/or modifies risk
the proposed actions Residual risk Risk remaining after risk treatment
risk avoidance
the resources required, including contingencies
or each treated
F
the performance indicators risk the plan should risk modification
include:
Options
the constraints
risk retention
the required reporting and monitoring
.6 Information
8
when actions are expected to be undertaken and completed
security RTP risk sharing
implementation status he input of the information security risk treatment is based on the risk assessment process
T
8.1 General outcomes in the form of a prioritized set of risks to be treated, based on risk criteria.
he risk treatment plan actions should be ranked by priority in
T ISO 27005:2022 he output of this process is a set of necessary information security controls that are to be
T
relation with the level of risk and urgency of treatment.
Statement of Applicability (SoA) Output isk sharing, by splitting responsibilities with other parties, either
R
internally or externally (e.g. sharing the consequences via insurance)
a) the necessary controls
isk treatment options should be selected based on the outcome of the risk assessment, the
R
b) justification for their inclusion .5 Producing a
8 expected costs for implementing these options and the expected benefits from these options
oA should
S
contain at least:
Statement of Determine all controls, from the chosen control sets as selected from an appropriate source, that are necessary for
Action
c) whether they are implemented or not Applicability treating the risks based on the risk treatment options chosen, such as to modify, retain, avoid or share the risks.
Controls cannot be added to the SOA independent of the risk assessment ISO/IEC 27001:2022, Annex A