Assessing the residual risk

Answer:
If your question is about how assessing the residual risk, you simply need to consider that the security control is implemented and recalculate the risk. For example, if you use this formula for the calculation of risk:

Risk = Likelihood x Impact

After the implementation of the security control, probably the likelihood is reduced, and consequently the risk is reduced (this risk reduced after the implementation of the control is the residual risk).

If the risk is below or above the acceptable level. If the risk is below, you have done well your work (the treatment is ok). If the risk is above, you need to consider another control, or maybe another treatment (for example asume the risk).

This article can be interesting for you “Why is residual risk so important?” : https://advisera.com/27001academy/knowledgebase/why-is-residual -risk-so-important/

And also this one “Risk appetite and its influence over ISO 27001 implementation” : https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/

Finally, these materials will help you to know more about the residual risk:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/