The ISO/IEC 27001 risk management process requires that after a risk treatment plan is implemented, the remaining risk, known as residual risk, must be formally addressed. The standard mandates that risk owners review these residual risks against the organization's established risk acceptance criteria. If the level of residual risk is within these criteria, the risk owner must formally accept it. This act of acceptance is a required step, ensuring accountability and that the organization knowingly and willingly accepts the level of risk that remains after controls have been applied.

A. Awareness and training is one of many possible controls, not a default or required response for every residual risk.

B. Delegation of risk treatment to risk owners happens earlier in the process, not as a response to the identified residual risk.

D. Risk avoidance is a risk treatment option applied to the initial risk, not a mandatory action for the remaining residual risk.

1. ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Clause 6.1.3 c): This clause outlines the requirements for information security risk treatment, which culminates in determining the residual information security risk.

Clause 8.3: This clause requires the organization to implement the risk treatment plan and retain documented information. The note to this clause clarifies that the results of the risk treatment (which includes the accepted residual risk) should be approved by the risk owners. The 2013 version was more explicit in clause 6.1.3 e), stating the need to "obtain risk owners’ approval of the risk treatment plan and acceptance of the residual information security risks." The principle remains unchanged in the 2022 version.

2. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

Chapter 6, Section 6.4, "Accepting Residual Risks": This section details the process, stating, "The final step in the risk treatment process is to have the risk owners formally accept the residual risks... This is a key step in the process as it ensures that management is aware of the risks that the organization is carrying and has formally accepted them." (p. 93). This text is frequently used in university-level cybersecurity management courses.

3. Von Solms, R., & Von Solms, B. (2018). "Cyber Security and Information Security–What’s the Difference?". In The Cyber Security Body of Knowledge (pp. 13-24). Springer, Cham.

This publication, often used in academic settings, discusses the risk management lifecycle inherent in ISO 27001. It explains that after treatment, residual risk must be formally accepted by management (the risk owners) as being within the organization's risk appetite, which is a fundamental governance activity. (DOI: https://doi.org/10.1007/978-3-319-95538-12)