Approval for the residual risk

Answer: The best way is to define a risk assessment and treatment methodology, so you can define which steps have to be performed (e.g., identify, analyse, evaluate and treat the risks, as well as get approval of residual risks) and which one is responsible for them.

2. Where and how to document it? And does it need documenting?

Answer: You have many options where you can document the approval for the residual risks: the approval could be on a separate document, within SoA (as in our toolkit), or on the risk assessment and treatment report. This approval, like other information gathered during the risk assessment and treatment process are requirement for ISO 27001, and must be documented.

To see a complete set of document for risk assessment and treatment, please take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

Th ese articles will provide you further explanation about risk assessment and treatment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

These materials will also help you regarding risk assessment and treatment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/