6.1.3 (f) and acceptance by top management
Quick question: 6.1.3 (f) requires Risk owner to accept the risk treatment plan and residual risks. In your templates (risk treatment plan, Method for risk evaluation and treatment), the risk can be accepted by TOP management. Is this still conform with 6.1.3 (f) or do we have to get approval from all risk owners?
Assign topic to the user
Please note that in the template the risks are accepted by top management on behalf of the risk owners, i.e., the acceptance is made according to what is defined by risk owners, so this approach fulfills clause 6.1.3 (f), and approval of all risk owners is not needed.
This article will provide you a further explanation about risk owner:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
This material will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Aug 03, 2020