Creating a Risk Treatment Plan for ISO 27001 Compliance

Written By Alex Wintersmith Lackey

Developing a risk treatment plan is a pivotal step in achieving ISO/IEC 27001 certification. It turns risk assessments into action by defining how identified risks will be managed, reduced, or accepted.

What Is a Risk Treatment Plan?

A risk treatment plan (RTP) outlines the actions an organization will take to address information security risks identified during the risk assessment process. It forms part of the ISO 27001-required documentation and supports continual improvement of the Information Security Management System (ISMS).

The plan should specify:

  • The identified risks

  • The chosen treatment option (e.g., mitigate, transfer, avoid, accept)

  • Responsible parties

  • Target timelines

  • Required resources

  • Residual risk acceptance

Why It Matters

Without a clear and actionable risk treatment plan, your ISMS lacks teeth. Auditors will look for evidence that risks are not only identified but actively managed through structured planning and accountability. A well-developed RTP:

  • Ensures regulatory and ISO 27001 clause alignment

  • Demonstrates due diligence and risk ownership

  • Provides a measurable framework for continual improvement

Steps to Build a Risk Treatment Plan

  1. Link to Risk Assessment Ensure each risk in the treatment plan corresponds to a finding in your latest risk assessment.

  2. Choose Appropriate Treatments Treatment options typically include:

    • Reducing the risk through controls (Annex A)

    • Avoiding the risk altogether

    • Transferring the risk (e.g., insurance, outsourcing)

    • Accepting the risk with justification

  3. Map to Annex A Controls When selecting controls, cross-reference Annex A and ensure each control has an implementation owner.

  4. Assign Responsibility Make it clear who is responsible for each action. Accountability drives follow-through.

  5. Track Progress Set review dates and monitor progress to ensure timely implementation.

  6. Accept Residual Risk Where applicable, document justification for accepting remaining risk. This must be formally approved by relevant leadership.

Format Example

An effective risk treatment plan might include the following fields:

  • Risk ID

  • Description

  • Treatment Decision

  • Control(s) Applied

  • Owner

  • Timeline

  • Status

  • Residual Risk & Approval

Wintersmith Advisory: Here to Help

At Wintersmith Advisory, we help organizations not only meet ISO 27001 requirements but integrate them into business reality. Our support includes:

  • Risk assessment facilitation

  • Custom risk treatment plans

  • Control mapping and implementation support

  • Internal audit readiness

If you're pursuing or maintaining ISO 27001 certification, a tailored risk treatment plan is essential. Let us help you turn risks into manageable, measurable actions that stand up to audit and improve your security posture.

Alex Wintersmith Lackey
Next

ISO for Small Business: A Practical Guide to Getting Started