• (0)

    ISO 27001 & ISO 22301 Knowledge base

    Risk Treatment Plan and risk treatment process – What’s the difference?

    Risk Treatment Plan is one of the key documents in ISO 27001, however it is very often confused with the documentation that is produced as the result of a risk treatment process. Here’s the difference:

    Risk treatment process

    Risk treatment is a step in the risk management process that follows the risk assessment step – in the risk assessment all the risks need to be identified, and risks that are not acceptable must be selected. The main task in the risk treatment step is to select one or more options for treating each unacceptable risk, i.e. decide how to mitigate all these risks. Four risk treatment options exist (for complete risk management process, please read ISO 27001 risk assessment & treatment – 6 basic steps):

    1. Apply security controls from Annex A to decrease the risks – see this article ISO 27001 Annex A controls.
    2. Transfer the risk to another party – e.g. to an insurance company by buying an insurance policy.
    3. Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion.
    4. Accept the risk – if, for instance, the cost of mitigating that risk would be higher that the damage itself.

    Risk treatment is usually done in a form of a simple sheet, where you link mitigation options and controls with each unacceptable risk; this can also be done with a risk management tool, if you use one. According to ISO 27001, it is required to document the risk treatment results in the Risk assessment report, and those results are the main inputs for writing Statement of Applicability. This means that results of risk treatment are not directly documented in Risk Treatment Plan.

    Risk Treatment Plan

    So, where is the Risk Treatment Plan in this whole process? The answer is: it can be written only after Statement of Applicability is finished.

    Why is this so? To start thinking about Risk Treatment Plan, it would be easier to think of it is an “Action plan” where you need to specify which security controls you need to implement, who is responsible for them, what are the deadlines, and which resources (i.e. financial and human) are required. But in order to write such a document, first you need to decide which controls need to be implemented, and this is done (in a very systematic way) through Statement of Applicability.

    The question is – why didn’t ISO 27001 require the results from risk treatment process to be documented directly in the Risk Treatment Plan? Why was this step in between needed, in the form of Statement of Applicability? My opinion is that the authors of ISO 27001 wanted to encourage companies to get a comprehensive picture of information security – when deciding which controls are applicable in Statement of Applicability and which are not, the result of risk treatment is not the only input – other inputs are legal, regulatory and contractual requirements, other business needs, etc. In other words, SoA serves as a kind of a checklist that takes a global view of the organization, and Risk Treatment Plan wouldn’t be complete without such a check.

    To conclude – Risk Treatment Plan is the point where theory stops, and real life begins according to ISO 27001. Good risk assessment and risk treatment process, as well as comprehensive Statement of Applicability, will produce very usable action plan for your information security implementation; skip some of these steps and Risk Treatment Plan will only confuse you.

    To see how to use the ISO 27001 risk register with catalogs of assets, threats, and vulnerabilities, and get automated suggestions on how they are related, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Leading expert on cybersecurity / information security and author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy-to-understand and simple-to-use creates a competitive advantage for Advisera's clients. As an ISO 27001 expert, Dejan is sought out to help companies find the best way to obtain certification by eliminating overhead and adapting the implementation to the specifics of their size and industry.