The risk treatment plan is one of the mandatory documents that must be produced as part of a certified ISO 27001 information security management system (ISMS).
It provides a summary of each of the identified risks, the responses that have been designed for each risk, the parties responsible for those risks and the target date for applying the risk treatment.
The risk treatment plan is produced after the risk assessment has been conducted. At its core, it is a detailed schedule describing who is responsible for specific actions in order to bring the risks down to acceptable levels.
ISO 27001:2013 requires organisations to determine controls “from any source”, after which they should compare the selected controls with those in Annex A to ensure that they have responded effectively to all risks.
There are four options for responding to a risk:
- Treat: when a risk has been identified as unacceptable and requires a specific control(s) to be applied in order to reduce the risk.
- Tolerate: when a risk has been identified but the likelihood of the risk occurring is either too small or the cost of treating the risk is too high to justify treatment.
- Terminate: when a risk has been identified and, instead of being treated, a decision is made to cease activity that causes the risk (for instance, replacing outdated hardware).
- Transfer: when a risk has been identified that can be transferred to a third party, such as an insurance firm.
vsRisk™ enables the risk assessor to generate a risk treatment plan following a risk assessment, in line with the requirements of ISO 27001. In addition, vsRisk also includes the ability to automatically produce a Statement of Applicability (SoA), risk assessment report, residual risk summary report, risk comments report and control usage report.