ISO 27001 Clause 8.3

This sub-clause requires the organisation to implement the information security risk treatment plan and retain documented information of the results.

ISO 27001 Clause 8.3 - Information Security Risk Treatment

Clause 8.3 is the operational counterpart to Clause 6.1.3. Where 6.1.3 sets up the risk treatment process and produces the Statement of Applicability and the risk treatment plan, Clause 8.3 requires the plan to actually be implemented and the results to be evidenced.

What ISO 27001 Clause 8.3 Requires

The organisation must implement the information security risk treatment plan and retain documented information of the results of the information security risk treatment. The clause is short - one sentence - but it is where the management system either delivers value or fails to. Plans that are not implemented are not management.

Implementing the Risk Treatment Plan

The risk treatment plan from Clause 6.1.3 identifies the controls to be implemented, the actions needed, the owners and the timescales. Clause 8.3 requires those actions to be carried out and the results recorded. Implementation usually progresses through the issues and actions register, with each action tracked from open through in-progress to closed.

The evidence of implementation comes from the records produced by the controls themselves. If the action was to put multi-factor authentication in place, the evidence is the configuration of the system, the records of users enrolled, the access logs and the policy that requires its use. If the action was to introduce a supplier security review, the evidence is the supplier contract, the security questionnaires completed and the supplier review records.

Recording the Results

The standard requires documented information of the results to be retained. In practice this means three things. The treatment plan itself shows what was done and when. The records produced by the controls show that they are operating. The risk register is updated to reflect the new risk position now that the treatment is in place.

The risk owner approves the residual risk after treatment. The Statement of Applicability is updated to reflect the new state of each control - typically moving from 'necessary, not yet implemented' to 'necessary, implemented'.

The link between the risk register, the treatment plan, the SoA and the operational records is what convinces the auditor that risk treatment is real. If those four documents are kept in sync, this clause looks after itself. If they drift apart, the audit becomes a hunt for what is current and what is not.

I sample the treatment plan at audit. I pick a few completed actions and look for the operational evidence that confirms them. If the plan says encryption was deployed in March and the configuration shows it was actually done in March, that is the clause being met. If the plan says one thing and the systems show another, the gap needs to be explained.

Practical Compliance Guidance

The risk treatment plan, the issues and actions register, the Statement of Applicability and the operational records together provide the documented information for Clause 8.3. The treatment plan tracks the work, the actions register tracks the activity, the SoA records the implementation status of each Annex A control, and the operational records evidence the controls in action.

The documents below support the implementation and evidencing of the information security risk treatment plan.

alphaZ document	How to use it
ISO 27001 Toolkit	Complete documentation set for ISO 27001:2022 including the risk register, treatment plan, SoA and supporting registers.
ER15 Information Security Risks Register	Risk register with built-in treatment plan columns showing the actions, owners, status and residual risk for each treated risk.
F-IMS26 Statement of Applicability	Statement of Applicability that records the implementation status of each Annex A control, updated as the treatment plan is implemented.
ER1 Issues and Actions Register	Tracks the individual actions arising from the treatment plan with owners, due dates and completion status.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What evidence does Clause 8.3 require?

The clause requires documented information of the results of risk treatment. In practice this is the updated risk register showing the residual risk position, the treatment plan showing actions completed, the SoA showing implementation status of controls, and the operational records produced by the controls themselves.

What if a treatment action cannot be completed?

The action is reviewed and the treatment is reconsidered. The risk owner may accept the higher residual risk, choose a different treatment, or extend the deadline. Whatever the decision, it is documented in the risk register and the treatment plan. Untreated risks need a defensible reason for not being treated.

When does the SoA get updated?

Whenever the implementation status of an Annex A control changes - for example when a control moves from 'necessary, planned' to 'necessary, implemented', or when a previously excluded control becomes necessary because of a new risk. Many organisations also do a full SoA review annually as part of management review.

UK Legislation

UK legislation that applies to information security treatments is covered in detail under Clause 4.2 and the legal register. The most directly applicable items are below.

Further Resources