Answer: No. The risk acceptance criteria are the factors you consider when evaluating if you accept a risk or not (e.g., probability, impact, risk value, cost of the control, etc,). The acceptable level of risk is the value attributed to a risk acceptance criteria, that defines for that criteria if a risk should be accepted or not. For example, you can consider risk value as a risk acceptance criteria and for that criteria the acceptable level of risk is any risk value lower than 5, which means that any risk with value lower than 5 can be accepted.
These materials will also help you regarding risk criteria and acceptance level:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advi sera.com/books/secure-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Yes, this imply risk calculation. Considering the ISO 27001, the most common ways to determine risk level are by simply summing or multiplying the values attributed for likelihood and impact you consider in your risk analysis (e.g., if likelihood = 2 and impact = 1, your risk level would be 3, by using sum, or 2, by using multiplication). For simple risk analysis there is no difference if you use sum or multiplication (this choice is more relevant when you work with statistical data).
Regarding ISO 27001, you should consider performing a risk assessment:
1 - every time a significant change occurs in the external or internal conditions that may impact in your ISMS scope or objectives. Examples of external conditions are changes in laws and regulations. Examples of internal conditions are the introduction of new information systems, modifications on information systems already running, or changes in business processes or objectives.
2 - after a predefined time since the last risk assessment, even if no external or internal conditions had changed (normally this periodicity is one year, but you should consider your activities and industry to define a proper periodicity).