How to create a risk treatment plan for your information security management system

A risk treatment plan (RTP) is one of the mandatory reports that you will need to produce for your ISO 27001 information security management system (ISMS).

What is a risk treatment plan?

An RTP provides a summary of each of the identified risks, the responses that have been determined for each risk, the risk owners and the target date for applying the risk treatment.

It is produced after you have conducted your risk assessment and is a detailed plan describing roles and responsibilities for specific actions to bring the risks down to an acceptable level.

Download a copy of our free white paper 5 Critical Steps to Successful ISO 27001 Risk Assessments for more information on conducting an information security risk assessment >>

How to create your risk treatment plan

An RTP needs to provide a summary of:

  • Identified risks;
  • Responses that have been designed for each risk;
  • Parties responsible for those risks; and
  • The date to apply the risk treatment.

ISO 27001 suggests four ways to treat unacceptable risks:

  • Retain (tolerate): the likelihood of the risk occurring is either too small or the cost of identifying the risk is too high to justify treatment.
  • Avoid (terminate): a decision is made to cease the activity that causes the risk.
  • Share (transfer): a risk has been identified that can be transferred to a third party.
  • Modify (treat): a risk has been identified that requires specific controls to be applied to reduce the impact and/or likelihood.

If you choose to modify a risk, you can draw controls from Annex A of ISO 27001 or other frameworks, including the Payment Card Industry Data Security Standard (PCI DSS) or NIST SP 800-53.

Produce your risk treatment plan with vsRisk

Fully aligned with ISO 27001, vsRisk can generate six audit-ready reports, including the RTP and the Statement of Applicability. Export, edit and share these reports with ease across your organisation and with auditors.

vsRisk - Risk Treatment Plan ISO 27001

vsRisk streamlines the information security risk assessment process and helps you produce consistent, robust and reliable risk assessments year after year. It is proven to simplify and speed up the risk assessment process by reducing its complexity and cutting associated costs.


5 Stars

“vsRisk™ is a great way to manage and report your risks and present the acceptance criteria to the board for eventual sign off.”

James Ellis – Secure and Confidential Documents Ltd (SCD)


Book a live demonstration with a member of our team to see how much time and money you can save with vsRisk >>


One Response

  1. President prag Of the usa 2nd February 2020

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.