After all risk treatments have been applied, what is the Restrisiko — and what's the key non-obvious rule about it?
Restrisiko = what's left after Avoid + Reduce + Transfer. Crucial: residual risk does NOT have to be accepted — if it's still too large, iterate the loop.
The ISO 27005 process has two explicit decision points:
-
Risk Decision Point 1 — "Assessment satisfactory?"
- No → loop back to context and re-assess.
- Yes → proceed to treatment.
-
Risk Decision Point 2 — "Treatment satisfactory?" (residual risk acceptable?)
- No → loop back to treatment with more/different controls.
- Yes → formal risk acceptance.
The treatment box itself branches into four options: Risk Modification (reduce), Risk Retention (accept), Risk Avoidance, and Risk Sharing (transfer).
Why "doesn't have to be accepted" matters:
- A naive process treats "residual" as automatically final — but a residual of CHF 5 M/year may still exceed appetite.
- The decision point gives you a formal moment to say: "Not good enough — find more budget, more controls, or refuse this business activity."
Tip: This is also why risk acceptance has to be signed by an empowered owner — accepting CHF 5 M of risk is a financial decision, not a security one.