What is residual risk?
According to ISO 27001, residual risk is “the risk remaining after risk treatment”.
Here is how it works: first you have to identify the risks, and then you need to mitigate the risks you find unacceptable (i.e. treat them). Once you treat the risks, you won’t completely eliminate all the risks because it is simply not possible – therefore, some risks will remain at a certain level, and this is what residual risks are. The point is, the organization needs to know exactly whether the planned treatment is enough or not.
Residual risks are usually assessed in the same way as you perform the initial risk assessment – you use the same methodology, the same assessment scales, etc. What is different is that you need to take into account the influence of controls (and other mitigation methods), so the likelihood of an incident is usually decreased and sometimes even the impact is smaller.
For more information about the risk management process read ISO 27001 risk assessment & treatment – 6 basic steps.
How is it related to acceptable level of risk?
I mentioned that the purpose of residual risks is to find out whether the planned treatment is sufficient – the question is, how would you know what is sufficient? This is where the concept of acceptable level of risks comes into play – it is nothing else but deciding how much ‘risk appetite’ an organization has, or in other words whether the management thinks it is fine for a company to operate in a high-risk environment where it is much more likely that something will happen, or the management wants a higher level of security involving a lower level of risk.
Both approaches are allowed in ISO 27001 – each organization has to decide what is appropriate for its circumstances (and for its budget). The former approach is probably better for high-growth startup companies, while the letter is usually pursued by financial organizations.
Residual risk management
Once you find out what residual risks are, what do you do with them? Basically, you have these three options:
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.