Which item is required to be defined when planning the organization's risk assessment process?

Clause 6.1.2 (Information security risk assessment) requires organizations to “define and apply an information security risk assessment process that… establishes and maintains information security risk criteria, including criteria for accepting risk.”

This means that acceptable levels of risk (risk acceptance criteria) must be explicitly defined. These criteria ensure consistent decision-making when evaluating whether identified risks need further treatment or can be tolerated.

Option A is incorrect because exclusions relate to the ISMS scope (Clause 4.3), not risk assessment planning. Option B is not a requirement; effectiveness of risk assessment methods is not required to be measured, though methods must be applied consistently. Option D is false—the standard clearly specifies required elements for risk assessment.

Thus, the correct answer isC: The criteria for acceptable levels of risk.