Risk acceptance is one of the four risk-treatment options defined by ISO 27005. You deliberately decide to carry a risk because the cost of treatment exceeds the potential damage, or because the risk already sits below the defined acceptance threshold. The decision must be documented and approved by an authorised person. Risk acceptance is not a blank cheque — it requires a traceable justification and is reassessed during each regular risk review. In the risk register you mark accepted risks with the rationale and approval date.