4. Clause 6.1.3 Information Security Risk Treatment
Organization should define and apply an information security risk treatment
process, implementation and operation.
Responds to risks evaluated in Clause 6.1.2(e) i.e. evaluation of information
security risks of ISO 27001:2013.
Documents all information related to this risk treatment process as
Risk Treatment Plan (RTP).
Custom eCommerce Developers
http://www.ifourtechnolab.com
5. Select appropriate information security risk treatment options by taking account of
the risk assessment results
Determine all controls that are necessary to implement the information security
risk treatment options chosen above
Compare the controls determined in above step with those in Annexure A of
ISO 27001:2013
Verify that no necessary controls have been omitted
Risk treatment process
Custom eCommerce Developers
http://www.ifourtechnolab.com
6. Risk treatment process (Continued)
Produce a Statement Of Applicability(SoA) that contains the necessary
controls and justification for inclusions
Assess whether necessary controls listed in Annexure A of ISO 27001:2013 are
implemented or not
Provide justification for exclusions of controls from Annexure A of ISO
27001:2013
Formulate information security risk treatment plan (RTP)
Obtain risk owner’s approval of RTP and acceptance of the residual
information security risks
Custom eCommerce Developers
http://www.ifourtechnolab.com
7. Risks can be treated in four ways:
Risk Acceptance
Risk Reduction
Risk Transference
Risk Avoidance
Risk Treatment Strategies
Custom eCommerce Developers
http://www.ifourtechnolab.com
8. Risk Acceptance:
Risks are acceptable with current controls
Risk Reduction:
Risks are reduced by implementing additional controls
Risk Avoidance:
Risks can not be reduced with current controls and risks are not accepted
Risk Transference:
Risks are transferred to other third parties
Risk Treatment Options
Custom eCommerce Developers
http://www.ifourtechnolab.com
9. Documented Information for Clause 6.1.3
Organization should retain documented information about the information
security risk treatment process.
Information about risk treatment process is documented in two ways:
Risk Treatment Plan
Statement of Applicability
Custom eCommerce Developers
http://www.ifourtechnolab.com
10. Organization shall establish information security objectives at relevant
functions and levels.
Information security objectives primarily concerns with:
Confidentiality
Integrity
Availability
Clause 6.2 : Information Security Objectives
Confidentiality Integrity
Availability
Custom eCommerce Developers
http://www.ifourtechnolab.com
11. Be consistent with information security policy
Be measurable
Be communicated
Be updated as appropriate
Take into account applicable information security requirements and results from
risk assessment and risk treatment
Information Security Objectives Characteristics
Custom eCommerce Developers
http://www.ifourtechnolab.com
12. Organization shall determine following information to achieve information security
objectives:
What will be done
What resources will be required
Who will be responsible
When it will be completed
How the results will be evaluated
Information Security Objectives Requirements
Custom eCommerce Developers
http://www.ifourtechnolab.com
13. Organization shall retain documented information on the information security
objectives.
Information security objectives are documented and should be complied with
information security policies.
Confidentiality, Integrity and Availability of information is documented to secure
information assets.
Documented information for Clause 6.2
Custom eCommerce Developers
http://www.ifourtechnolab.com