SBN

How to produce a risk treatment plan

The risk treatment plan is one of the mandatory documents that must be produced as part of a certified ISO 27001 ISMS (information security management system).

It provides a summary of each of the identified risks, the responses that have been designed for each risk, the parties responsible for those risks and the target date for applying the risk treatment.

But what exactly does the process look like? We explain what you need to know in this blog.

How to create a risk treatment plan

The risk treatment plan is produced after you’ve completed the risk assessment. It takes the result of that assessment – i.e. the threats your organisation faces and their severity – and explains how to manage them.

At its core, this means describing the actions you will take to tackle risks and documenting who is responsible performing those tasks.

The plan must also summarise identified risks and state the date that the risk response was (or will be) implemented.


Our free green paper 5 critical steps to successful ISO 27001 risk assessments explains how to conduct a risk assessment and prepare for the risk treatment plan


There are four options for responding to a risk:

  1. Treat: when a risk has been identified as unacceptable and requires a specific control(s) to be applied in order to reduce the risk.
  2. Tolerate: when a risk has been identified but the likelihood of the risk occurring is either too small or the cost of treating the risk is too high to justify treatment.
  3. Terminate: when a risk has been identified and, instead of being treated, a decision is made to cease activity that causes the risk (for instance, replacing outdated hardware).
  4. Transfer: when a risk has been identified that can be transferred to a third party, such as an insurance firm.

Most risks will be modified, because it typically offers the best combination of security and cost.

Annex A of ISO 27001 provides an ideal starting point when deciding how to modify a risk. It contains 114 controls, which are split into 14 sections, each one tailored to a specific aspect of information security.

However, you can also use controls from any other relevant framework, such as the PCI DSS (Payment Card Industry Data Security Standard) or NIST SP 800-53.

Simple risk assessments with vsRisk

Looking for help completing your risk assessment? Our vsRisk software package provides guides you through the risk assessment process, providing you everything you need to deliver repeatable, consistent assessments year after year.

vsRisk - Risk Treatment Plan ISO 27001

Fully aligned with ISO 27001, vsRisk can generate six audit-ready reports, including the risk treatment plan and the Statement of Applicability.

It is proven to simplify and speed up the risk assessment process by reducing its complexity and cutting associated costs.

Conduct simple, fast and accurate risk assessments with vsRisk


A version of this blog was originally published on 4 February 2015.

The post How to produce a risk treatment plan appeared first on Vigilant Software – Compliance Software Blog.


*** This is a Security Bloggers Network syndicated blog from Vigilant Software – Compliance Software Blog authored by Luke Irwin. Read the original post at: https://www.vigilantsoftware.co.uk/blog/the-risk-treatment-plan