LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

After all risk treatments have been applied, what is the Restrisiko — and what's the key non-obvious rule about it?

Restrisiko = what's left after Avoid + Reduce + Transfer. Crucial: residual risk does NOT have to be accepted — if it's still too large, iterate the loop.

The ISO 27005 process has two explicit decision points:

  1. Risk Decision Point 1 — "Assessment satisfactory?"

    • No → loop back to context and re-assess.
    • Yes → proceed to treatment.
  2. Risk Decision Point 2 — "Treatment satisfactory?" (residual risk acceptable?)

    • No → loop back to treatment with more/different controls.
    • Yes → formal risk acceptance.

The treatment box itself branches into four options: Risk Modification (reduce), Risk Retention (accept), Risk Avoidance, and Risk Sharing (transfer).

Why "doesn't have to be accepted" matters:

  • A naive process treats "residual" as automatically final — but a residual of CHF 5 M/year may still exceed appetite.
  • The decision point gives you a formal moment to say: "Not good enough — find more budget, more controls, or refuse this business activity."

Tip: This is also why risk acceptance has to be signed by an empowered owner — accepting CHF 5 M of risk is a financial decision, not a security one.

From Quiz: ISF / Risk Management | Updated: May 31, 2026