Risk response

When risks have been identified using a risk assessment, an organisation needs to respond to them. The four ways of responding to a risk are as follows:

• **Tolerate **– accept the risk as it is. This might be because the risk is small enough to be tolerable or that other responses would not be cost-effective.

• **Transfer **– pass the risk to another party. This can be done through outsourcing or insurance.

• **Avoid **– stop doing the activity that creates the risk. This can happen if the potential harm of the risk outweighs the benefits of the activity.

• **Treat **– introduce something to reduce the risk to an acceptable level. Controls are used to reduce risk, and ISO 27001 Annex A lists controls that are relevant to information security. The ISO 27001 controls are in CyberComply’s library of control sets.

Updated on: 17/06/2024