How to create ISO 27001 Risk Treatment Plan? (Downloadable template)

Confidentiality, integrity, and availability, collectively known as the CIA triad, form the cornerstones of protecting information within the ISO 27001 framework. When a risk materializes, any or all of these elements can be compromised, leaving assets unprotected and objectives unmet. That is why a risk treatment plan (RTP) is central to ISO 27001.

A well-structured RTP helps manage and mitigate risks systematically and prioritize areas that need attention to ensure business continuity. It acts as a roadmap for addressing vulnerabilities and enhancing security measures.

This blog delves into the essentials of a risk treatment plan within the ISO 27001 framework and explores vital tips to creating an effective one.

What is an ISO 27001 risk treatment plan?

ISO 27001 risk treatment plan is a tactical document that outlines the actions and controls required to mitigate or minimize information security risks identified through risk assessments.

An ISO 27001 risk treatment plan is a specific component of the risk management plan. In comparison, a risk management plan is a broader document covering all aspects, from risk identification and assessment to treatment and monitoring.

Strategies for ISO 27001 risk treatment plan

You can choose from 4 risk treatment strategies when formulating your ISO 27001 risk treatment plan—avoidance, reduction, transfer, and acceptance.

Let’s have a look at each of these strategies:

Risk avoidance:

This strategy deprioritizes activities that put the organization at high risk. In this case, businesses can take an alternative route or even terminate the operation because the risks exceed the rewards.

For example, avoiding a project that requires significant investment without any guaranteed returns.

Risk reduction

Risk reduction is the most common risk treatment option. It involves implementing measures such as additional controls, processes, or process changes to minimize risk. 

For example, a company might implement access controls, encryption, multi-factor authentication, etc. to minimize the risks of unauthorized access.

Risk transfer

Risk transfer measures are ones that shift the risk to a third party or share a part of it with other stakeholders.

For example, a business purchases cyber insurance to cover any losses due to hardware failure.

Risk acceptance

Decisions that agree to tolerate the risk without implementing any additional measures either because the risk is too low or the mitigation costs are more than the impact.

For example, an organization accepts low-risk vulnerabilities in non-critical systems.

Which risks need a risk treatment plan?

Only risks that are significant enough to necessitate action need a risk treatment plan. It is only wise to dedicate more time and resources to high-priority risks as they are more likely to cause substantial harm. Moreover, mitigating them can be costly.

Here are some examples of risks that require a risk treatment plan:

• Risk of a potential data breach due to exposure of sensitive information—High-impact risks
• Failure to comply with data privacy regulations such as GDPR—Compliance risks
• Failure of critical systems resulting in downtime—Operational risks

You can identify these risks using impact assessments, risk matrices, discussions with key stakeholders, and leveraging tools and software.

How can Sprinto be an enabler?

As a next-gen GRC tool, Sprinto has integrated risk management that helps you visualize and understand the impact of risks. The comprehensive risk library enables you to scope out risks unique to your business or add custom risks. 

The tool then helps you score risks based on their impacts and likelihood of occurrence. It also helps consolidate and assess all the risk response options available. You can also assign risk owners to each type of risk and ensure better accountability and risk management.

Risks can also be automatically mapped to compliance criteria and controls and any anomalies or deviations will be flagged immediately.

Check out this video to learn more:

ISO 27001 Annex A and ISO 27002 for your risk treatment plan

The latest ISO 27001:2022 version has 93 security controls grouped under 4 categories:

• Organizational (37 controls)
• People (8 controls)
• Physical (14 controls)
• Technological (34 controls)

The previous version, ie. ISO 27001:2013 had 114 controls divided into 14 domains. Let’s look at how these themes and controls help with risk treatment plans:

Organizational Controls (A 5.1 to A 5.37)

Organizational controls provide guidelines for managing risks. These include policies, procedures, and defining roles and responsibilities to oversee the implementation of information security practices.

Risk treatment examples: Creating a data protection policy or forming a governance team to manage information security risks.

People Controls (A 6.1 to 6.8)

People controls help manage the human component of information security risks. The category includes controls related to human resource security and training to ensure that the right people are hired and they understand the policies to recognize threats better.

Risk treatment examples: Conducting background checks while hiring new people or arranging for phishing training to minimize the chances of people falling for such attacks

Physical Controls (A 7.1 to 7.13)

Physical controls aim to protect the physical infrastructure against unauthorized access or damage. These controls include equipment maintenance, security perimeters, etc., to ensure a safe physical environment.

Risk treatment examples: installing surveillance cameras to monitor visitors or installing uninterruptible power supplies (UPS) to minimize power outages.

Technological Controls (A 8.1 to 8.34)

Technological controls help secure information systems and data by implementing technical safeguards. These include controls such as malware protection, backups, network security etc.

Risk treatment examples: Implementing encryption to protect sensitive data or introducing logging and monitoring to track user activities and report suspicious attempts.

ISO 27002:2022 is a standard to provide implementation guidance for controls listed in ISO 27001:2022 Annex A. It helps translate the high-level control objectives into actionable measures to minimize information security risks.

Once the organization selects the controls from ISO 27001 Annex A, it can refer to ISO 27002 for implementation.

Here’s an example:

ISO 27001:2022 Annex 8.1 talks about ‘user endpoint devices’

ISO 27002:2022 provides supplementary guidance on implementation. This includes rules that should be covered in the endpoint device policy, user responsibilities that must be outlined, BYOD (Bring Your Own Device) rules and recommendations etc.

How to create an ISO 27001 risk treatment plan?

Creating a Risk Treatment Plan (RTP) is central to the ISO 27001 framework. The tactical document outlines the specific controls that are necessary to mitigate risks and safeguard the organization.

Follow these 6 steps to create an ISO 27001 risk treatment plan:

1. Choose the risk assessment methodology

Start by determining the security risk assessment methodology for your ISO 27001 risk treatment plan. This helps ensure consistency in how risks are assessed across the organization, alignment with organizational objectives, and proper allocation of resources.

You can choose from different assessment methodologies, such as:

• Qualitative assessments: Takes a subjective approach to risk likelihood and impact and uses descriptive scales like low, medium, and high to help prioritize risks.
• Quantitative assessments: Assigns numerical values to risk likelihood and impact and helps estimate the financial repercussions of the risks.
• Semi-quantitative assessments: Uses a combination of quantitative and qualitative approaches to risk scores from 1-10 and group lower numerical values as ‘low-risk’.
• Asset-based assessments: Focuses on assessing risks associated with specific or critical information assets.
• Vulnerability-based assessments: Analyzes weaknesses in systems or processes that can be exploited and estimates their likelihood and impact.
• Threat-based assessments: Assesses risks based on the likelihood and impact of threats that could exploit vulnerabilities.

The choice of methodology will depend on several factors, such as the organization’s risk maturity, capabilities, complexity and nature of information assets, compliance requirements, etc.

2. Identify and assess risks

To identify risks, start by cataloging information assets and defining processes and systems that comes under the scope of assessment. Gather information from diverse stakeholders on the current risk environment including the kind of risks faced, the methods used, analysis of previous incidents etc. Use the chosen methodology to identify the likelihood and impact of potential risks.

Define your risk appetite and clearly bucket risks that you are willing to accept while also documenting risk acceptance criteria.

3. Develop a risk treatment plan

The next step is to create a tactical risk mitigation plan to treat risks. This involves deciding the risk treatment strategies for each risk type—avoidance, acceptance, reduction, or transfer. For risks that need to be reduced, you’ll have to define the controls that mitigate risks and assign risk owners. Risk owners need to understand their roles and responsibilities clearly and how to manage risks from end to end.

4. Select controls and prepare a Statement of Applicability

Select the applicable controls from ISO 27001 Annex A and prepare a Statement of Applicability to justify the control selection. The document explains the control inclusions that are necessary to mitigate the identified risks. It also offers clarity on any controls that are deemed not applicable or are excluded and documents the reasons for exceptions.

5. Implement controls

The Statement of Applicability is a mandatory document for ISO 27001. The organization can begin implementing controls once they are communicated and approved by the internal team or an external auditor. Organize security training and awareness programs to help employees understand their roles in implementation and the dos and don’ts of risk reduction. Build a pipeline of technical controls, such as encryption, access policies, etc. to safeguard information assets. You can use tools to manage controls and enable automated checks to stay on track.

6. Monitor and review

Create a continuous monitoring mechanism to ensure that the controls are working as intended continuously. Collect and compare metrics, review incidents of non-compliance or near-misses, and evaluate ISMS health periodically to get a comprehensive idea of the risk management status. Regularly review and update the risk treatment plan in light of the evolving risk environment.

ISO 27001 risk treatment plan example

Here’s a short risk treatment plan example:

Risk identified	Likelihood	Impact	Treatment strategy	Mitigating controls
Unauthorized access to sensitive customer data	Medium	High	Risk mitigation	Implementing multi-factor authentication, regular access reviews, regular software updates and vulnerability patching, internal audits
Data loss due to hardware failure	Medium	High	Risk mitigation	Implement data backups, failover mechanisms, and regular testing of recovery procedures
Minor glitches in non-critical apps	Low	Low	Risk acceptance	Monitor the apps for any changes any risk likelihood and impact
Phishing attack on employees	High	Low	Risk mitigation	Conduct employee training, implement email filtering solutions.

Note that this is only a snippet from the actual plan to give you an idea of how treatment strategies are chosen. The full-fledged plan will also include details on risk owners, existing controls, residual risk (post-control implementation), and a detailed timeline for implementation.

Ensure integrated risk management with Sprinto

Risk treatment is core to establishing an effective Information Security Management System (ISMS) which is integral to ISO 27001. Systematically treating risks helps build a resilient organization and facilitates continuous improvements. However, it requires streamlined processes, centralized management, proper documentation and reporting and monitoring. Enter Sprinto.

Sprinto is a comprehensive GRC tool that can help you integrate risk management with your compliance program while accelerating ISO 27001 audit-readiness.

Once your assets are integrated with Sprinto, it automatically maps Annex A criteria to controls. The integrated risk assessment process helps you identify risks and implement mitigation policies accordingly. You can manage all aspects of ISO 27001 compliance from a single dashboard. Automated control checks periodically collect evidence while flagging any instances of non-compliance for security teams to remediate. The audit-grade evidence collected can easily be reviewed by the auditor on an independent dashboard for seamless collaboration.

Want to see how all this is done? Speak to our compliance experts and kickstart your ISO 27001 journey today.

FAQs

What is included in the risk treatment plan?

The key components of the risk treatment plan include details on risks identified, risk treatment options, control selection, implementation details and monitoring and updates.

Which tools can help with ISO 27001 risk assessment and treatment?

You can use risk assessment tools like RiskWatch or Archer or you can use GRC platforms like Sprinto, and MetricStream to manage ISO 27001 risk assessments and treatment. These tools help streamline the risk management process and ensure compliance.

Can risk treatment plans be outsourced?

The development of risk treatment plans can be outsourced and involve external consultants. However, the ultimate responsibility for implementation lies with the organization. The consultant can offer expertise but the company needs to ensure compliance.

How are new risks incorporated into the risk treatment plan?

New risks are constantly identified through ongoing monitoring, incident reviews, internal audits and feedback from stakeholders. These are then assessed for likelihood and impact and incorporated into the risk treatment plan along with treatment options and appropriate controls.