CALL US +1 (646) 759 9933

ISO 27001/ISO 22301 Knowledge base

Dejan Kosutic

Risk Treatment Plan and risk treatment process – What’s the difference?

Author: Dejan Kosutic

Risk Treatment Plan is one of the key documents in ISO 27001, however it is very often confused with the documentation that is produced as the result of a risk treatment process. Here’s the difference:

Risk treatment process

Risk treatment is a step in the risk management process that follows the risk assessment step – in the risk assessment all the risks need to be identified, and risks that are not acceptable must be selected. The main task in the risk treatment step is to select one or more options for treating each unacceptable risk, i.e. decide how to mitigate all these risks. Four risk treatment options exist (for complete risk management process, please read ISO 27001 risk assessment & treatment – 6 basic steps):

  1. Apply security controls from Annex A to decrease the risks – see this article ISO 27001 Annex A controls.
  2. Transfer the risk to another party – e.g. to an insurance company by buying an insurance policy.
  3. Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion.
  4. Accept the risk – if, for instance, the cost of mitigating that risk would be higher that the damage itself.

Risk treatment is usually done in a form of a simple sheet, where you link mitigation options and controls with each unacceptable risk; this can also be done with a risk management tool, if you use one. According to ISO 27001, it is required to document the risk treatment results in the Risk assessment report, and those results are the main inputs for writing Statement of Applicability. This means that results of risk treatment are not directly documented in Risk Treatment Plan.

Risk Treatment Plan

So, where is the Risk Treatment Plan in this whole process? The answer is: it can be written only after Statement of Applicability is finished.

Why is this so? To start thinking about Risk Treatment Plan, it would be easier to think of it is an “Action plan” where you need to specify which security controls you need to implement, who is responsible for them, what are the deadlines, and which resources (i.e. financial and human) are required. But in order to write such a document, first you need to decide which controls need to be implemented, and this is done (in a very systematic way) through Statement of Applicability.

The question is – why didn’t ISO 27001 require the results from risk treatment process to be documented directly in the Risk Treatment Plan? Why was this step in between needed, in the form of Statement of Applicability? My opinion is that the authors of ISO 27001 wanted to encourage companies to get a comprehensive picture of information security – when deciding which controls are applicable in Statement of Applicability and which are not, the result of risk treatment is not the only input – other inputs are legal, regulatory and contractual requirements, other business needs, etc. In other words, SoA serves as a kind of a checklist that takes a global view of the organization, and Risk Treatment Plan wouldn’t be complete without such a check.

To conclude – Risk Treatment Plan is the point where theory stops, and real life begins according to ISO 27001. Good risk assessment and risk treatment process, as well as comprehensive Statement of Applicability, will produce very usable action plan for your information security implementation; skip some of these steps and Risk Treatment Plan will only confuse you.

To learn more, download this free Diagram of ISO 27001:2013 Risk Assessment and Treatment process.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

3 responses to “Risk Treatment Plan and risk treatment process – What’s the difference?”

  1. Nicolas Gabriel-Robez says:

    My question is very simple, why do we need the RTP since we can directly write the residual risks from SoA into the risk registry?

    • The purpose of the Risk Treatment Plan is to define precisely who is going to implement which control, which resources are needed, what are the deadlines, etc.

      “Risk register” does not exist as a term in ISO 27001, but this is usually a list of all identified risks and their assessment – very often the risk register does not contain information about the controls for risk treatment, and almost never does the risk register have information about the implementation plans.

      So if you have the detailed information about the control implementation in your risk registry, then you really don’t need a separate RTP; however if you don’t have this information then you need to have RTP if you want to be compliant with ISO 27001.

      This article will also be helpful: ISO 27001 risk assessment & treatment – 6 basic steps:

      This free online training will teach you the details of risk assessment and treatment: ISO 27001 Foundations Course:

  2. Nicolas Gabriel-Robez says:

    Here’s the discussion I had with your very kind Chat support member Renato about this issue, so to me the answer is not trivial given this discussion:

    You — Please update your info
    My question is very simple, why do we need the RTP since we can directly write the residual risks from SoA into the risk registry? Why use an RTP, when this process can be more straight forward?
    Chat started
    Renato joined the chat

    let me check
    simple, because the RTP is a mandatory document

    You — Please update your info
    You can call the risk registry also RTP

    has to be like this, that is ISO’s choice
    but wait one second

    You — Please update your info
    So the risk registry can act also as RTP
    It’s just a naming issue
    Same data can be gathered in both the RTP and risk registry so why not combine both?

    /27001academy/knowledgebase/risk-treatment-plan-and-risk-treatment-process-whats-the-difference/ i think this will help you

    You — Please update your info
    Well not really and I filed my question also on that page
    Look at the bottom


    You — Please update your info
    You can perform the risk treatment plan and file your risks in the risk registry, after that you can fill the SoA and file your residual risks directly to the risk registry

    please send an email to xxxx (intentionally left blank)
    she can help you maybe more
    with that

    You — Please update your info
    And then call the risk registry RTP

    you can do that

    You — Please update your info
    So in the end you don’t need a separate document as for a RTP
    you can use one single document and call it differently depending on your ISMS implementation phase

    🙂 right

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.