ISO 27001 Clause 8.3 (Information Security Risk Treatment) – This clause requires organizations to implement the risk treatment plan and retain the results (documented) of the risk treatment.ISO 27001 Clause 8.2 (Information Security Risk Assessment)- Requires organizations to perform risk assessments at planned intervals and when significant changes occur.ISO 27001 Clause 6.1.3 (Information Security Risk Treatment) -Requires organizations to select appropriate treatment options to address risks.ISO 27001 Clause 6.1.2 (Information Security Risk Assessment) – Requires organizations to establish and maintain risk assessment processes.It is a mandatory ISO 27001 document that gives a more comprehensive and standard approach to handling risks.įor an ISO 27001 certification, the following are important clauses cover risk management: Rather than a rule-based management system, ISO 27001 proposes this risk-based approach to help organizations deal effectively with known and unknown risks. The ISO 27001 risk management policy is a document that outlines the guidelines for how an organization will identify and manage risks essentially defining their risk appetite and preparing for various types and levels of risk. 5 FAQs What is ISO 27001 risk management policy?