The risk acceptance threshold is the limit set by senior management for tolerable risks. If a risk falls below this value, it may be accepted. If it exceeds the threshold, risk treatment is required. The value is typically visualised in the risk matrix, for example as a dividing line between green and yellow cells. ISO 27001 Clause 6.1.2 requires the organisation to define risk-acceptance criteria. You should review the threshold regularly because the organisation’s risk appetite may shift as the business evolves.