ISO/IEC 27001 •

ISO 27001 Requirement 8.3 – Information Security Risk Treatment

See how you can achieve ISO 27001 faster with ISMS.online

See it in action
By Mark Sharron | Updated 14 December 2023

Clause 8 of the ISO 27001 standard deals with the operation of the ISMS as needed to meet information security requirements to achieve the information security objectives determined in 6.2.

Jump to topic


What does Clause 8.3 involve?

Under clause 8.3, the requirement is for the organisation to implement the information security risk treatment plan and retain documented information on the results of that risk treatment. This requirement is therefore concerned with ensuring that the risk treatment processes described in clause 6.1, Actions to address risks and opportunities, are actually taking place. This should include evidence and clear audit trails of reviews and actions, showing the movements of the risk over time as results of investments emerge (not least also giving the organisation as well as the auditor confidence that the risk treatments are achieving their goals). Like other parts of clause 8 this is already achieved if the organisation has addressed the overall ISMS with the approach outlined in clause 7.5.


Meeting the requirements for 8.3

To meet the requirements for 8.3 you must be able to evidence that the risk treatment plan described in clause 6.1 is being implemented.

As described in 6.1 more fully this must include the evidence behind the treatment. In simple terms ‘treatment’ can be work you are doing internally to control and tolerate the risk, or it could mean steps you are taking to transfer the risk (e.g. to a supplier), or it could be to terminate a risk entirely. The controls selected to manage the risks must consider, but are not limited to, those described in Annex A of the standard. These Annex A controls form the statement of applicability (SoA) which describes all the controls and why they have, or haven’t, been implemented by the organisation.


How to create a risk treatment and manage your risk treatment process

Risk treatment should be considered alongside risk assessment and ultimately feed into the SoA too.

Typically, organisations find that managing and evidencing risk is the most complex part of ISO 27001. Read our recent article Information Security Risk Management Explained to explore risk management more fully. It can take days, weeks, or months of work to establish a fully operational risk solution.

That effort means establishing the conformant risk assessment methodology, a way of documenting and capturing the evidence of the whole security risk management process, as well as going through it for the first full set of risks and treatments.

The ISMS.online software solution can cut that time and save a massive amount of work on the process with the included risk management tools and methods. ISMS.online also provides:

  • A template policy for Clause 8. of ISO 27001:2013
  • A template policy and methodology for clause 6.1 which includes a comprehensive yet pragmatic approach to risk identification, analysis, and treatment, as well as ongoing monitoring and review
  • Simple to use risk management tools, as described in the above policy and methodology, which produce and maintain the treatment plan
  • A whole bank of popular risks together with suggested Annex A controls to link to and treat the risk around
  • Workspaces to capture all of the work done, enabling retention of the documented information within the tools and offers links back to the controls and policies used to address the risks and issues
  • Dynamically created Statement of Applicability, linking back to the Annex A Controls
  • One joined-up place to securely manage the whole ISMS

Get certified up to 5x faster with ISMS.online

Compliance doesn’t need to be complicated – ISMS.online is designed to help you achieve ISO 27001 certification quickly and affordably with no training required.
We’ve streamlined the ISO 27001 process with our Assured Results Method, an 80% Headstart, your own 24/7 Virtual Coach, easy onboarding and expert support.

Book a platform demo to see how ISMS.online can help your business

Book a demo

Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISO 27001:2022 requirements


ISO 27001:2022 Annex A Controls

Organisational Controls


People Controls


Physical Controls


Technological Controls


About ISO 27001


ISMS.online launches a new Public API. Click here to find out more