What is a Risk Treatment Plan?
What is a Risk Treatment Plan?
A risk treatment plan is a formal document that outlines how an organization intends to address each identified information security risk. It specifies the treatment option selected for each risk, the controls to be implemented, responsible owners, timelines, and expected residual risk levels. Risk treatment plans are a core requirement of ISO 27001 and a recommended practice across most compliance frameworks.
Risk treatment options
For each identified risk, organizations typically choose one of four treatment options:
- Mitigate — implement controls to reduce the likelihood or impact of the risk to an acceptable level
- Accept — acknowledge the risk and decide not to take additional action, typically because the cost of treatment exceeds the potential impact
- Transfer — shift the risk to a third party, such as through insurance or outsourcing to a specialized provider
- Avoid — eliminate the risk entirely by discontinuing the activity or service that creates it
Most risks are treated through mitigation, with specific controls designed to address the identified threat.
Components of a risk treatment plan
A comprehensive risk treatment plan includes:
- Risk identifier — reference to the specific risk from the risk register
- Risk description — a clear statement of the risk, including threat, vulnerability, and potential impact
- Treatment option — which of the four options has been selected
- Controls — the specific controls to be implemented for mitigated risks
- Owner — the person or team responsible for implementing the treatment
- Timeline — target dates for implementation milestones
- Resources required — budget, tools, or personnel needed
- Residual risk — the expected risk level after treatment is applied
- Status — current implementation progress
Risk treatment in ISO 27001
ISO 27001 clause 6.1.3 specifically requires organizations to formulate a risk treatment plan. The standard requires that:
- Risk treatment options are determined for each assessed risk
- Controls necessary to implement the treatment are identified
- Selected controls are compared against Annex A to ensure completeness
- A Statement of Applicability is produced
- The risk treatment plan is approved by risk owners
- Residual risk levels are accepted by management
The risk treatment plan is a key document reviewed during certification audits and surveillance audits.
Risk treatment in NIST CSF
While NIST CSF does not prescribe a specific risk treatment plan format, the framework's Identify function (particularly the Risk Assessment category) and Protect function align closely with risk treatment concepts. Organizations using NIST CSF often develop risk treatment plans as part of their implementation.
Building an effective risk treatment plan
To create a practical and effective risk treatment plan:
- Prioritize risks — start with the highest-rated risks from your risk register
- Select realistic treatments — choose options that are feasible given your budget, resources, and timeline
- Assign clear ownership — every risk treatment must have a named owner accountable for implementation
- Set measurable milestones — define specific, trackable milestones rather than vague commitments
- Review regularly — update the plan as risks change, new threats emerge, or controls are implemented
- Communicate status — report progress to management and stakeholders
How episki helps
episki links your risk register directly to your risk treatment plan, making it easy to assign treatments, track implementation progress, and measure residual risk. The platform sends reminders to risk owners and provides management dashboards showing treatment status across the organization. Learn more on our ISO 27001 compliance page.
