What does ISO/IEC 27001:2022 require for information security risk treatment?
A.
A consultancy to accurately perform information security risk treatment
B.
Performing an information security risk treatment process to select appropriate risk treatment options, taking into account the results of the risk assessment
C.
A person designated by top management with expertise to perform information security risk treatment
D.
Acquiring a set of information security tools to automate risk treatment
ISO/IEC 27001:2022 requires the organization to define and apply an information security risk treatment process. This process must select appropriate information security risk treatment options, determine the controls necessary to implement the chosen options, compare the selected controls with Annex A, produce a Statement of Applicability, and formulate a risk treatment plan. The standard does not require a consultant, a specific tool, or a single appointed individual as the basis for compliance. Therefore, option B is correct.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit