My recollection is that where the residual risk was 3 or more, i.e., unacceptable, we reviewed the risk and the risk owner could decide to accept the residual risk. The fact that the risk owner accepted the risk does not seem to be recorded anywhere in the reports. Where can I find that?
I can’t see where we say that a residual risk is accepted
The residual risk is accepted in the Risk Register module, in the risk treatment step. After the definition of the risk treatment option and selection of applicable controls, the residual risk is automatically calculated and approved by the risk owner.
Additionally, in the Risk Assessment and Treatment Report, the accepted residual risks are listed, and in the Statement of Acceptance of Residual Risks, there is a summary of the accepted residual risks and their respective risk owners. These documents can be found in the Documents module, ISO 27001 folder, Lists Reports Statements, and Plans sub-folder.