Skip to content
Log in

Residual risk

Definition

The risk that remains after controls are applied. If residual risk exceeds the organisation's risk appetite, further treatment is required or management must formally accept the elevated exposure.

Related terms

Risk appetite
The amount and type of risk an organisation is willing to accept in pursuit of its objectives, as defined by its governing...
Risk owner
The individual or role accountable for ensuring a risk is treated appropriately and that the treatment remains effective. Owners should control the...
Risk register
A structured record of all identified risks, each with its description, inherent risk score, owner, treatment decision, controls selected, residual risk score,...
Risk treatment
The process of selecting and implementing options to modify risk. ISO/IEC 27005 defines four treatment options: accept, avoid, mitigate (reduce), and transfer...
Statement of Applicability (SoA)
A mandatory document listing every ISO/IEC 27001 Annex A control with a statement of whether it is included or excluded, the justification...

Explained in

  • Risk Treatment and the Risk RegisterThe risk that remains after controls are applied. If residual risk exceeds the organisation's risk appetite, further treatment is required or management must f...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account