8.3 Information security risk treatment

Clause 8.3 of ISO/IEC 27001:2022 requires organizations to select and apply appropriate controls to treat identified information-security risks, documenting a risk-treatment plan that links each risk to specific actions, responsible parties and timelines. The clause also mandates acceptance of any residual risk after treatment and regular review to ensure the treatment remains effective and aligned with the overall risk-assessment process.