Creating a Risk Treatment Plan for ISO 27001 Compliance

Developing a risk treatment plan is a pivotal step in achieving ISO/IEC 27001 certification. It turns risk assessments into action by defining how identified risks will be managed, reduced, or accepted.

What Is a Risk Treatment Plan?

A risk treatment plan (RTP) outlines the actions an organization will take to address information security risks identified during the risk assessment process. It forms part of the ISO 27001-required documentation and supports continual improvement of the Information Security Management System (ISMS).

The plan should specify:

• The identified risks

• The chosen treatment option (e.g., mitigate, transfer, avoid, accept)

• Responsible parties

• Target timelines

• Required resources

• Residual risk acceptance

Why It Matters

Without a clear and actionable risk treatment plan, your ISMS lacks teeth. Auditors will look for evidence that risks are not only identified but actively managed through structured planning and accountability. A well-developed RTP:

• Ensures regulatory and ISO 27001 clause alignment

• Demonstrates due diligence and risk ownership

• Provides a measurable framework for continual improvement

Steps to Build a Risk Treatment Plan

Link to Risk Assessment

Every action in your risk treatment plan must be traceable to a specific risk identified in your latest risk assessment.

• Use consistent risk identifiers (e.g., risk IDs or codes) to link treatments to the corresponding risk entries

• Ensure each risk description is clearly stated, including the impact, likelihood, and evaluation criteria

• Update the treatment plan promptly if risk ratings or scope change during reassessment

• Maintain an auditable trail from the risk register to treatment actions to demonstrate alignment

Choose Appropriate Treatments

ISO 27001 recognizes several valid options for risk treatment. Select the method that best aligns with your business objectives and risk appetite:

• Reduce the risk by implementing or enhancing controls (preferably from Annex A or equivalent)

• Avoid the risk by discontinuing the activity that causes it (e.g., stopping use of a high-risk system)

• Transfer the risk to another party (e.g., outsourcing to a specialized vendor, or insuring against data loss)

• Accept the risk where the potential impact is within tolerance and justified with a formal decision

Actionable guidance:

• Document the rationale for each selected treatment option

• Consult key stakeholders and data owners to align treatment choices with operational realities

• Validate the effectiveness of existing or proposed controls before relying on them to reduce risk

Map to Annex A Controls

For every control used to mitigate a risk, reference its corresponding clause in ISO/IEC 27001 Annex A (or the organization's extended control set).

• Clearly cite the control ID (e.g., A.8.1.1 – Inventory of Assets)

• Define how the control will be implemented, not just named

• Assign an implementation owner with appropriate authority and resources

• Identify any dependencies (e.g., required training, software purchases, vendor integration)

Assign Responsibility

• Name a specific individual or team responsible for implementing each control or risk treatment

• Ensure responsibilities are documented in the Statement of Applicability and treatment plan

• Set expectations for timelines, deliverables, and documentation requirements

Track Progress

• Establish a tracking log or risk treatment register to monitor action status

• Set realistic implementation deadlines and interim checkpoints

• Periodically review progress in security meetings or management reviews

• Escalate delayed or stalled treatments to responsible leadership

Accept Residual Risk

• Once treatments are implemented, reassess the residual risk level

• Document residual risks that remain above or near the organization’s risk acceptance threshold

• Require formal acceptance (e.g., sign-off by the risk owner or senior management)

• Record the rationale for acceptance and review it regularly for continued appropriateness

By following these steps, organizations can ensure their ISO 27001 risk treatment plans are not only compliant but also actionable, strategic, and integrated into broader risk governance.

Format Example

An effective risk treatment plan might include the following fields:

• Risk ID

• Description

• Treatment Decision

• Control(s) Applied

• Owner

• Timeline

• Status

• Residual Risk & Approval

Wintersmith Advisory: Here to Help

At Wintersmith Advisory, we help organizations not only meet ISO 27001 requirements but integrate them into business reality. Our support includes:

• Risk assessment facilitation

• Custom risk treatment plans

• Control mapping and implementation support

• Internal audit readiness

If you're pursuing or maintaining ISO 27001 certification, a tailored risk treatment plan is essential. Let us help you turn risks into manageable, measurable actions that stand up to audit and improve your security posture.