8.Information Security Risk Acceptance

Question 1

Information security risk acceptance

Input

Answer 1

Risk treatment plan and residual risk assessment subject to the acceptance decision of the organization’s managers.

Question 2

Implementation guidance

Answer 2

Risk treatment plans should describe how assessed risks are to be treated to meet risk acceptance criteria. It is important for responsible managers to review and approve proposed risk treatment plans and resulting residual risks, and record any conditions associated with such approval.

In some cases, the level of residual risk does not meet risk acceptance criteria because the criteria being applied do not take into account prevailing circumstances. For example, it can be argued that it is necessary to accept risks because the benefits accompanying the risks are very attractive, or because the cost of risk modification is too high.

Such circumstances indicate that risk acceptance criteria are inadequate and should be revised if possible. However, it is not always possible to revise the risk acceptance criteria in a timely manner.

In such cases, decision-makers can accept risks that do not meet normal acceptance criteria. If this is necessary, the decision-maker should explicitly comment on the risks and include a justification for the decision to override normal risk acceptance criteria.

Question 3

Output

Answer 3

A list of accepted risks with justification for those that do not meet the organization’s normal risk acceptance criteria.