Residual Risk
Definition
Residual risk is the remaining risk after controls and mitigation measures have been applied to address identified threats and vulnerabilities. It represents the risk that still exists despite efforts to reduce or eliminate it. In the context of ISO 27001, residual risk must be evaluated to ensure that it is acceptable in relation to the organization's risk appetite and business objectives. This term is critical for compliance professionals, auditors, and risk managers in evaluating the effectiveness of security controls and making informed decisions regarding risk treatment strategies.
Real-World Examples
Risk after mitigation
A company applies multiple security measures like encryption and multi-factor authentication but still faces some risk from emerging threats. This is considered residual risk.
Third-party risk
A vendor's software poses residual risk even after contractual security requirements are implemented. The company must monitor ongoing compliance and address any risks that remain.
Residual risk refers to the remaining risk after an organization has implemented controls to mitigate the impact or likelihood of potential threats. It is an essential part of risk management and is assessed to ensure that it aligns with an organization's risk appetite.
Inherent risk is the level of risk that exists before any controls are applied, while residual risk is what remains after risk mitigation strategies are implemented. Inherent risk is often higher, while residual risk reflects the effectiveness of security measures.
Residual risk helps organizations assess whether their security measures are adequate. It ensures that any remaining risks are acceptable and provides a basis for ongoing risk management and compliance efforts in frameworks like ISO 27001.
Residual risk is calculated by subtracting the effectiveness of implemented controls from the inherent risk. This calculation considers factors like the likelihood of an event and its potential impact.
Examples of residual risk in cybersecurity include vulnerabilities that remain after patching systems, risks associated with human error despite training, or risks posed by third-party vendors that are outside the organization's direct control.
Organizations manage residual risk by regularly reviewing and updating their risk assessments, applying additional controls if necessary, and ensuring that residual risk aligns with their risk tolerance and business objectives.
Yes, ISO 27001 requires organizations to assess and accept residual risk. This assessment ensures that the risk remaining after security measures are applied is manageable and aligned with the organization's risk appetite.
Residual risk can be calculated as the difference between inherent risk and the effectiveness of applied controls. It is often expressed as: Residual Risk = Inherent Risk - Control Effectiveness.
Residual risk should be accepted if it falls within the organization's risk appetite and does not pose a significant threat to business objectives. If it exceeds acceptable levels, further mitigation measures should be considered.
In third-party risk management, residual risk refers to the remaining risk after evaluating and implementing controls to manage the security posture of vendors. It ensures that the organization monitors and controls third-party risks appropriately.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
