Risk owner

Related terms

Statement of Applicability (SoA)

A mandatory document listing every ISO/IEC 27001 Annex A control with a statement of whether it is included or excluded, the justification...

Annex A

The normative annex to ISO/IEC 27001 that lists 93 information security controls across four themes: organisational (37 controls), people (8), physical (14),...

High-Level Structure (HLS)

The common clause framework mandated by ISO for all management system standards. Clauses 4 through 10 of ISO 27001 follow the same...

Information Security Management System (ISMS)

The set of policies, processes, procedures, and controls that an organisation establishes to manage information security risk. ISO 27001 specifies the requirements...

ISO/IEC 27002

A guidance standard (not certifiable) that provides implementation advice for each of the 93 controls in ISO 27001 Annex A. Updated in...

Residual risk

The risk that remains after controls are applied. If residual risk exceeds the organisation's risk appetite, further treatment is required or management...

Risk appetite

The amount and type of risk an organisation is willing to accept in pursuit of its objectives, as defined by its governing...

Risk register

A structured record of all identified risks, each with its description, inherent risk score, owner, treatment decision, controls selected, residual risk score,...

Risk treatment

The process of selecting and implementing options to modify risk. ISO/IEC 27005 defines four treatment options: accept, avoid, mitigate (reduce), and transfer...

Explained in these topics

• ISO/IEC 27001: Standard Structure and RequirementsIntroduced explicitly in ISO/IEC 27001:2022. The person or entity with the authority and accountability to manage a particular information security risk. Risk...
• Risk Treatment and the Risk RegisterThe individual or role accountable for ensuring a risk is treated appropriately and that the treatment remains effective. Owners should control the asset or pr...