Residual risk acceptance is the documented decision by senior management to consciously carry a specific residual risk. ISO 27001 Clause 6.1.3 requires risk owners to approve risk-treatment plans and the remaining residual risks. You document which risk scenario is affected, which controls are already in place, and why further reduction would be disproportionate. The acceptance is recorded with date and signature. If the threat landscape or business context changes, the acceptance must be reassessed.