Skip to content
Log in

Risk treatment

Definition

The process of selecting and implementing options to modify risk. ISO/IEC 27005 defines four treatment options: accept, avoid, mitigate (reduce), and transfer (share). The selected option and its rationale must be documented and approved.

Related terms

Residual risk
The risk that remains after controls are applied. If residual risk exceeds the organisation's risk appetite, further treatment is required or management...
Risk appetite
The amount and type of risk an organisation is willing to accept in pursuit of its objectives, as defined by its governing...
Risk owner
The individual or role accountable for ensuring a risk is treated appropriately and that the treatment remains effective. Owners should control the...
Risk register
A structured record of all identified risks, each with its description, inherent risk score, owner, treatment decision, controls selected, residual risk score,...
Statement of Applicability (SoA)
A mandatory document listing every ISO/IEC 27001 Annex A control with a statement of whether it is included or excluded, the justification...

Explained in

  • Risk Treatment and the Risk RegisterThe process of selecting and implementing options to modify risk. ISO/IEC 27005 defines four treatment options: accept, avoid, mitigate (reduce), and transfer...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account