Developing the Risk Treatment Plan

Risk treatment translates risk analysis results into concrete action plans. For each unacceptable risk, the treatment plan specifies how the organization will address it, who bears responsibility, what resources are required, and what residual risk remains after treatment.

Understanding Treatment Options

ISO 27001 recognizes four fundamental approaches to risk treatment. Risk mitigation implements controls that reduce either the likelihood of occurrence or the impact if the risk materializes. This is the most common treatment approach and drives most security investment.

Risk avoidance eliminates the risk entirely by discontinuing the activity that creates it. If a particular business process creates unacceptable risk, the organization might redesign or abandon that process. Avoidance is often impractical but should be considered for very high risks.

Risk transfer shifts consequences to third parties through mechanisms like insurance or outsourcing. Cyber insurance can transfer financial impact while outsourcing can transfer operational responsibility. However, transfer rarely eliminates risk entirely as reputational and ultimate accountability typically remain.

Risk acceptance acknowledges the risk without active treatment. Acceptance is appropriate when treatment costs exceed risk impact, when no effective treatment exists, or when the risk falls within organizational tolerance. Acceptance requires explicit management decision and documentation.

Structuring the Treatment Plan

For each risk requiring treatment, document the selected treatment option and rationale for choosing it. Specify the control or controls that will implement the treatment. Identify the individual responsible for implementation and ongoing operation.

Define resource requirements including budget, personnel, technology, and external services. Establish the implementation timeline with milestones and completion targets. Describe how treatment effectiveness will be measured and verified.

Control Selection from Annex A

When mitigation is the chosen treatment, select controls from ISO 27001 Annex A that address the identified risk. Consider control effectiveness against the specific threat and vulnerability combination. Evaluate implementation and operational costs against risk reduction benefit.

Assess compatibility with existing controls and organizational culture. Controls that conflict with business operations or user expectations often fail regardless of technical merit. Consider how multiple controls might work together to address risk more effectively than any single control.

Managing Residual Risk

No treatment eliminates risk entirely. Residual risk remains after treatment and must be explicitly assessed and accepted. Calculate residual risk using the same methodology applied to inherent risk but accounting for expected control effectiveness.

Document residual risk clearly and obtain formal acceptance from appropriate management levels. The Statement of Applicability records expected control states while the risk treatment plan records residual risk acceptance decisions.