Show me desktop version
CALL US +1 (646) 759 9933

ISO 27001/ISO 22301 Knowledge base

Why is residual risk so important?

Author: Dejan Kosutic

Term ‘residual risk’ is mandatory in the risk management process according to ISO 27001, but is unfortunately very often used without appreciating the real meaning of the concept.

What is residual risk?

According to ISO 27001, residual risk is “the risk remaining after risk treatment”.

Here is how it works: first you have to identify the risks, and then you need to mitigate the risks you find unacceptable (i.e. treat them). Once you treat the risks, you won’t completely eliminate all the risks because it is simply not possible – therefore, some risks will remain at a certain level, and this is what residual risks are. The point is, the organization needs to know exactly whether the planned treatment is enough or not.

Residual risks are usually assessed in the same way as you perform the initial risk assessment – you use the same methodology, the same assessment scales, etc. What is different is that you need to take into account the influence of controls (and other mitigation methods), so the likelihood of an incident is usually decreased and sometimes even the impact is smaller.

For more information about the risk management process read ISO 27001 risk assessment & treatment – 6 basic steps.

How is it related to acceptable level of risk?

I mentioned that the purpose of residual risks is to find out whether the planned treatment is sufficient – the question is, how would you know what is sufficient? This is where the concept of acceptable level of risks comes into play – it is nothing else but deciding how much ‘risk appetite’ an organization has, or in other words whether the management thinks it is fine for a company to operate in a high-risk environment where it is much more likely that something will happen, or the management wants a higher level of security involving a lower level of risk.

Both approaches are allowed in ISO 27001 – each organization has to decide what is appropriate for its circumstances (and for its budget). The former approach is probably better for high-growth startup companies, while the letter is usually pursued by financial organizations.

Residual risk management

Once you find out what residual risks are, what do you do with them? Basically, you have these three options:

  1. If the level of risks is below the acceptable level of risk, then you do nothing – the management needs to formally accept those risks.
  2. If the level of risks is above the acceptable level of risk, then you need to find out some new (and better) ways to mitigate those risks – that also means you’ll need to reassess the residual risks.
  3. If the level of risks is above the acceptable level of risk, and the costs of decreasing such risks would be higher than the impact itself, than you need to propose to the management to accept these high risks.

Such a systematic way ensures that management is involved in reaching the most important decisions, and that nothing is overlooked.

So the point is – top management needs to know which risks their company will face even after various mitigation methods have been applied. After all, top management is not only responsible for the bottom line of the company, but also for its viability.

You can also check out our  Risk Assessment and Treatment Methodology which describes how to set an acceptable level of risk and how to manage residual risks.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

100% privacy respected. Unsubscribe at any time with a single click.

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

ISO 27001 & ISO 22301
Free Downloads

 

Document Template

Risk Assessment and Risk Treatment Methodology

See Details

Upcoming free webinar
How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301
Wednesday - January 17, 2018

OUR CLIENTS

OUR PARTNERS

  • Exemplar Global (formerly RABQSA) is leading international authority in certification of training providers.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933