What is Risk Treatment in ISO 27001?
Overview
Risk Treatment is the process of selecting and implementing options to address information security risks identified during risk assessment. It's a mandatory requirement in ISO 27001:2022 (Clause 6.1.3 and Clause 8.3) that bridges risk assessment and practical security control implementation.
Risk treatment transforms your risk assessment findings into actionable decisions about how to handle each identified risk through four standardized approaches.
Risk Treatment in Practice
After completing a risk assessment, you must decide how to address each risk based on your organization's risk appetite and resources. ISO 27001:2022 requires you to:
Select appropriate risk treatment options for each identified risk
Determine necessary controls to implement the chosen options (typically from Annex A)
Compare selected controls against Annex A and justify any exclusions
Document decisions in a Risk Treatment Plan
Obtain approval from risk owners
Risk treatment must be documented in your Statement of Applicability (SoA), showing which Annex A controls you've selected and why.
The Four Risk Treatment Options
ISO 27001:2022 provides four standardized approaches to handling risks:
1. Risk Modification (Mitigation)
Apply security controls to reduce the risk to an acceptable level. This is the most common approach and involves implementing Annex A controls.
Example: Implement access controls (A.5.15) and encryption (A.8.24) to reduce the risk of unauthorized data access.
2. Risk Avoidance
Eliminate the risk by discontinuing the activity that creates it.
Example: Stop using a vulnerable legacy system by migrating to a secure cloud platform.
3. Risk Sharing (Transfer)
Share the risk with another party, typically through insurance or outsourcing contracts.
Example: Purchase cyber insurance or use a managed security service provider for threat monitoring.
4. Risk Retention (Acceptance)
Accept the risk when it falls within your risk acceptance criteria and the cost of treatment exceeds the potential impact.
Example: Accept the low risk of physical theft in a secured office building with existing controls.
Risk acceptance requires documented approval from risk owners and must align with your organization's risk acceptance criteria defined in Clause 6.1.2.
Risk Treatment Plan
Your Risk Treatment Plan is a required document (Clause 6.1.3) that specifies:
The chosen risk treatment options for each risk
Which controls will be implemented and why
Implementation responsibilities and timelines
Resource requirements
How effectiveness will be measured
Connection to Annex A Controls
Risk treatment directly determines which of the 93 Annex A controls you implement. Your SoA must show:
Controls selected based on risk treatment decisions
Controls already implemented
Justification for excluding any Annex A controls
Use ISMS Copilot to generate risk treatment options for specific scenarios or create a customized Risk Treatment Plan based on your assessment findings.
Related Terms
Risk Assessment – Precedes risk treatment in the ISMS lifecycle
Statement of Applicability (SoA) – Documents your risk treatment decisions
Annex A Controls – The 93 controls used for risk modification
Control – Individual measures that modify risk