Risk treatment is the process of selecting and implementing measures to modify risk. According to internationally recognized information security management standards, such as the ISO/IEC 27000 series which underpins the EXIN ISMP certification, there are four primary strategies for treating risk. "Risk acceptance" (also known as risk retention) is one of these core strategies. It is a conscious and deliberate decision to take no further action to treat a risk, based on a cost-benefit analysis or an understanding that the risk falls within the organization's defined risk appetite. The other standard strategies are risk modification (mitigation), risk avoidance, and risk sharing (transfer).

A. Mobile updates: This is a specific technical control or tactic used for risk modification, not a high-level treatment strategy itself.

C. Risk exclusion: This is not a standard or recognized term for a risk treatment strategy within established frameworks like ISO/IEC 27001/27005.

D. Software installation: This is a specific operational activity that can be part of a risk modification strategy, but it is not the strategy itself.

1. ISO/IEC 27005:2022 - Information security, cybersecurity and privacy protection — Guidance on managing information security risks.

Section 8.4, "Risk treatment option selection," explicitly lists the four options for risk treatment: risk modification, risk retention (acceptance), risk avoidance, and risk sharing. This directly validates "Risk acceptance" as a strategy and shows that "Mobile updates" and "Software installation" are examples of risk modification, while "Risk exclusion" is not a listed option.

2. ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Clause 6.1.3 c) 2) requires the organization to "determine all controls that are necessary to implement the information security risk treatment option(s) chosen." This clause implicitly references the selection of treatment options, which are detailed in supporting standards like ISO 27005.

3. Peltier, T. R. (2013). Information Security Risk Analysis (3rd ed.). CRC Press.

Chapter 7, "Risk Mitigation," discusses the primary risk mitigation (treatment) strategies. The text identifies them as: "risk assumption" (acceptance), "risk avoidance," "risk limitation" (modification/mitigation), and "risk transference." This academic source confirms that risk acceptance is a fundamental strategy. (Note: While a book, it is a widely cited academic and professional text in the field).