As part of your ISO 27001 certification project, your organisation will need appropriate documentation to prove its compliance. The risk treatment plan (RTP) is one of the mandatory reports that you will need to produce for your information security management system (ISMS).
Key elements of the risk treatment plan
Clause 6.1.2 of the Standard focuses on the information security risk assessment and requires organisations to “prioritize the analysed risks for risk treatment”.
It also states that organisations “shall retain documented information about the information security risk assessment process”.
The risk treatment plan is produced after you have conducted your risk assessment and is a detailed document describing roles and responsibilities for specific actions to bring the identified risks down to an acceptable level.
The risk treatment plan needs to provide a summary of:
- Identified risks;
- Responses that have been designed for each risk;
- Parties responsible for those risks; and
- The date to apply the risk treatment.
ISO 27001 recommends four responses to treat unacceptable risks:
- Retain (previously referred to as tolerate) – the likelihood of the risk occurring is too small or the cost of identifying the risk is too high to justify treatment.
- Avoid (previously referred to as terminate) – the activity that causes the risk has been stopped.
- Share (previously referred to as transfer) – the risk can be transferred to a third party.
- Modify (previously referred to as treat) – the risk requires specific controls (from Annex A of ISO 27001 or other frameworks) to be applied to reduce the impact and/or likelihood.
Help with creating your risk treatment plan template
Below is an example of what a risk-based risk treatment plan might look like, extracted from the bestselling ISO 27001 ISMS Documentation Toolkit. The toolkit also contains an asset-based risk treatment plan template.
Developed by expert ISO 27001 practitioners, and used by more than 2,000 clients worldwide, the ISO 27001 ISMS Documentation Toolkit includes:
- A complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully ISO 27001-compliant;
- Helpful gap analysis and project tools to ensure complete coverage of the Standard; and
- Direction and guidance from expert ISO 27001 practitioners.