CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Dejan Kosutic

4 mitigation options in risk treatment according to ISO 27001

Most people think risk assessment is the most difficult part of implementing ISO 27001 – true, risk assessment is probably the most complex, but risk treatment is definitely the one that is more strategic and more costly.

The purpose of risk treatment seems rather simple: to control the risks identified during the risk assessment; in most cases this would mean to decrease the risk by reducing the likelihood of an incident (e.g., by using nonflammable building materials), and/or to reduce the impact on assets (e.g., by using automatic fire-suppression systems). During the risk treatment the organization should focus on those risks that are not acceptable; otherwise, it would be difficult to define priorities and to finance the mitigation of all the identified risks.

See also: ISO 27001 risk assessment & treatment – 6 basic steps.

4 most common treatment options


Once you have a list of unacceptable risks, you have to go one by one and decide how to treat each – usually, these options are applied:

  • Decrease the risk – this option is the most common, and it includes implementation of safeguards (controls) – like fire-suppression systems, etc.
  • Avoid the risk – stop performing certain tasks or processes if they incur such risks that are simply too big to mitigate with any other options – e.g., you can decide to ban the usage of laptops outside of the company premises if the risk of unauthorized access to those laptops is too high (because, e.g., such hacks could halt the complete IT infrastructure you are using).
  • Share the risk – this means you transfer the risk to another party – e.g., you buy an insurance policy for your building against fire, and therefore you transfer part of your financial risk to an insurance company. Unfortunately, this option does not have any influence on the incident itself, so the best strategy is to use this option together with options 1) and 2).
  • Retain the risk – this is the least desirable option, and it means your organization accepts the risk without doing anything about it. This option should be used only if the mitigation cost would be higher than the damage an incident would incur.

Decreasing the risks is the most common option for treating the risks, and for that purpose the controls from ISO 27001 Annex A are used (and any other controls that a company thinks are appropriate). See here how the controls are organized: Overview of ISO 27001:2013 Annex A.

Before you start the risk treatment

Before starting the risk treatment process, you should be aware of the main inputs: these are Risk Management Methodology and unacceptable risks from the risk assessment; however, an additional input should also be the available budget for the current year, because very often the mitigation will require an investment.

When selecting new controls, basically there are three types of controls:

  1. Defining new rules: rules are documented through plans, policies, procedures, instructions, etc., although you don’t have to document some less complex processes.
  2. Implementing new technology: for example, backup systems, disaster recovery locations for alternative data centers, etc.
  3. Changing the organizational structure: in some cases, you will need to introduce a new job function, or change the responsibilities of an existing position.

Deciding which controls to select

Risk treatment is a step where you normally wouldn’t include a very wide circle of people – you will have to brainstorm on each treatment option with specialists in your company who focus on certain areas. For example, if the treatment has to do with IT, you will speak to your IT guys; if it is about new trainings, you will speak to human resources, etc.

Of course, the final decision about some new treatment option will require a decision from the appropriate management level – sometimes the CISO will be able to make such  decisions, sometimes it will be your project team, sometimes you will have to go to the department head in charge of a particular field (e.g., head of the legal department if you ask for additional clauses in the contracts with your partners), or perhaps to the executive level for larger investments. If you have doubts regarding who can decide what, consult with your project sponsor.

The process of risk treatment is very often documented similarly to the process of risk assessment – through Excel sheets or a tool, and finally, in the Risk treatment report. An example of a risk treatment table might look something like this:

AssetThreatVulnerabilityTreatment option Means of implementation
ServerFireNo fire extinguisher1) Decrease risk + 2) Share riskPurchase fire extinguisher + buy insurance policy against fire
LaptopAccess by unauthorized personsInadequate password1) Decrease riskWrite Password Policy
System administratorLeaving the companyNo replacement1) Decrease riskHire second system administrator who will learn everything the first one does

If you choose to measure residual risks, it should be done together with responsible persons in departments – you have to show them which treatment options you have planned for, and based on this information, and using the same scales, you have to assess the residual risk for every unacceptable risk identified earlier during risk assessment. So, for instance, if you had identified a consequence of level 4 and likelihood of level 5 during your risk assessment (which would mean risk of 9 by the method of addition), your residual risk may be 5 if you assessed that the consequence would lower to 3 and likelihood to 2 due to, e.g., safeguards you planned to implement.

Be creative!

When considering these options, and particularly safeguards that involve an investment in technology, please beware of the following: very often the first idea that comes to mind will be the most expensive – therefore, think hard before you purchase some expensive new system. Sometimes alternatives will exist that will be equally effective, but with lower cost. Also, be aware that most of the risks exist because of human behavior, not because of machines – therefore, it is questionable whether a machine is the solution to such a problem.

In other words, this is where you need to get creative – you need to figure out how to decrease the risks with minimum investment. It would be the easiest if your budget was unlimited, but that is never going to happen. And, I must tell you that unfortunately, your management is right – it is possible to achieve the same result with less money – you only need to be clever enough to come up with a solution.

This article is an excerpt from the new book  Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own. Click here to see what other topics are covered…

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.