A risk treatment plan (RTP) is one of the mandatory reports that you will need to produce for your ISO 27001 information security management system (ISMS).
What is a risk treatment plan?
An RTP provides a summary of each of the identified risks, the responses that have been determined for each risk, the risk owners and the target date for applying the risk treatment.
It is produced after you have conducted your risk assessment and is a detailed plan describing roles and responsibilities for specific actions to bring the risks down to an acceptable level.
How to create your risk treatment plan
An RTP needs to provide a summary of:
- Identified risks;
- Responses that have been designed for each risk;
- Parties responsible for those risks; and
- The date to apply the risk treatment.
ISO 27001 suggests four ways to treat unacceptable risks:
- Retain (tolerate): the likelihood of the risk occurring is either too small or the cost of identifying the risk is too high to justify treatment.
- Avoid (terminate): a decision is made to cease the activity that causes the risk.
- Share (transfer): a risk has been identified that can be transferred to a third party.
- Modify (treat): a risk has been identified that requires specific controls to be applied to reduce the impact and/or likelihood.
If you choose to modify a risk, you can draw controls from Annex A of ISO 27001 or other frameworks, including the Payment Card Industry Data Security Standard (PCI DSS) or NIST SP 800-53.
Produce your risk treatment plan with vsRisk™
Fully aligned with ISO 27001, vsRisk can generate six audit-ready reports, including the RTP and the Statement of Applicability. Export, edit and share these reports with ease across your organisation and with auditors.
vsRisk streamlines the information security risk assessment process and helps you produce consistent, robust and reliable risk assessments year after year. It is proven to simplify and speed up the risk assessment process by reducing its complexity and cutting associated costs.