Residual Risk
The level of risk that remains after security controls and risk treatment measures have been applied. Residual risk must be formally evaluated and accepted by management to ensure it falls within the organization's defined risk appetite.
Residual risk represents the gap between inherent risk (risk before any controls are applied) and the risk reduction achieved by implemented controls and treatment measures. No control environment can eliminate risk entirely, so every organization operates with some level of residual risk. The key governance question is whether that remaining risk is acceptable given the organization's risk appetite and the cost-effectiveness of further risk reduction measures. Understanding and managing residual risk is essential for making informed decisions about security investments and for demonstrating due diligence to regulators, auditors, and stakeholders.
ISO 27001 Clause 6.1.3 explicitly requires risk owners to approve the risk treatment plan and accept the residual information security risks. This formal acceptance is a documented governance act — typically recorded in the risk register and approved at the management review. SOC 2 auditors evaluate whether residual risks have been identified and appropriately accepted by management as part of the organization's risk management process. NIS2 requires that management bodies of essential entities approve cybersecurity risk-management measures and oversee their implementation, which inherently involves accepting residual risk. In technology due diligence, the documentation of residual risk acceptance demonstrates mature risk governance.
Calculating residual risk involves reassessing the likelihood and impact of a risk after controls have been implemented. If the inherent risk of a data breach was rated as High, and encryption, access controls, and monitoring have been implemented, the residual risk might be reassessed as Medium or Low. If the residual risk exceeds the organization's appetite, further controls must be considered. Organizations should be wary of over-optimistic residual risk assessments — the effectiveness of controls should be validated through testing, audits, and incident analysis rather than assumed. Residual risk should be reviewed regularly, as changes in the threat landscape, business context, or control effectiveness can cause it to drift over time.
Related frameworks
Related terms
Control Objective
A statement describing what a specific security control is intended to achieve. Control objectives define the desired outcome — such as preventing unauthorized access or ensuring data integrity — while allowing organizations flexibility in how they implement the control to meet that objective.
Risk Appetite
The level and type of risk an organization is willing to accept in pursuit of its objectives. Risk appetite defines the boundaries within which the organization operates and guides decision-making about which risks to accept, mitigate, transfer, or avoid.
Risk Assessment
A structured process for identifying, analyzing, and evaluating information security risks. Risk assessments determine the likelihood and potential impact of threats to an organization's information assets, guiding decisions about which controls to implement.
Risk Register
A structured document or database that records all identified risks, their assessment details (likelihood, impact, rating), assigned risk owners, selected treatment options, current control status, and residual risk levels. It serves as the central repository for an organization's risk management activities.
Risk Treatment
The process of selecting and implementing measures to modify identified risks. The four primary risk treatment options are risk mitigation (applying controls to reduce risk), risk acceptance (acknowledging and tolerating the risk), risk transfer (sharing risk with a third party such as an insurer), and risk avoidance (eliminating the risk by ceasing the activity).
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment