How to create an ISO 27001-compliant risk treatment plan

Please note new versions of ISO 27001 and ISO 27002 have now been published.

To learn more about what these updates mean for your organisation, and to buy your copies of ISO 27001:2022 and ISO 27002:2022, please visit our information pages.


An RTP (risk treatment plan) is an essential part of an organisation’s ISO 27001 implementation process, as it documents the way your organisation will respond to identified threats.

It’s one of the mandatory documents you must complete as part of your ISO 27001 implementation project and forms the final stage of the ISO 27001 risk assessment process.

What are your risk treatment options with ISO 27001?

Once you’ve completed your risk assessment and defined your risk appetite, you’ll be left with a list of ‘unacceptable’ threats that need to be addressed.

ISO 27001 recommends that organisations take one of four actions:

  • Modify the risk by implementing a control to reduce the likelihood of it occurring. For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and store them safely.
  • Avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too significant to manage with a security control. For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them outside the premises. This option will make things less convenient for your employees but will drastically improve your security posture.
  • Share the risk with a third party. There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster. Neither option is ideal because you are ultimately responsible for your organisation’s security, but they might be the best solutions if you lack the resources to tackle the risk.
  • Retain the risk. This option means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.

Selecting appropriate controls

The most common risk treatment option is to modify the risk because it typically offers the best combination of security and cost.

Organisations can determine the best way to modify a risk by looking at the controls listed in Annex A of ISO 27001. It lists 114 controls, which are split into 14 sections (or ‘control sets’), each one tailored to a specific aspect of information security:

  • Information security policies: how policies are written and reviewed.
  • Organisation of information security: the assignment of responsibilities for specific tasks.
  • Human resource security: ensuring that employees understand their responsibilities before employment and once they’ve left or changed roles.
  • Asset management: identifying information assets and defining appropriate protection responsibilities.
  • Access control: ensuring that employees can only view information that’s relevant to their job role.
  • Cryptography: the encryption and key management of sensitive information.
  • Physical and environmental security: securing the organisation’s premises and equipment.
  • Operations security: ensuring that information processing facilities are secure.
  • Communications security: how to protect information in networks.
  • System acquisition, development and maintenance: ensuring that information security is a central part of the organisation’s systems.
  • Supplier relationships: the agreements to include in contracts with third parties and how to measure whether those agreements are being kept.
  • Information security incident management: how to report disruptions and breaches, and who is responsible for certain activities.
  • Information security aspects of business continuity management: how to address business disruptions.
  • Compliance: how to identify the laws and regulations that apply to your organisation.

Deciding which control to use is relatively straightforward. The ISO 27001 implementation team should meet with a senior employee from the relevant department to agree on the appropriate control.

For example, communications security issues should be discussed with IT, staff awareness issues with HR, and supplier relations which whichever department the third party is working with.

As with all major security decisions, you should run your decisions past senior management.

Once you’ve finalised which controls you should use, you should refer to ISO 27002 to learn more about implementing them.


Before you begin

It’s worth remembering that your RTP must be appropriate to your organisation. Implementing controls takes time, effort and money, so you need to pick your battles carefully.

You almost certainly won’t have the resources to apply controls to every risk, even if they are small controls, such as a new process or policy.

Even a new policy requires a team of people to write and approve it, generate awareness among employees and ensure that the rules are being followed and working as intended.

That’s not to say you should abandon a control if you think that it will be expensive to implement and maintain. However, you should constantly assess whether there’s a less expensive control that could generate similar results.

Your risk treatment plan made simple

Those looking for help creating a policy should take a look at our ISO 27001 Risk Treatment Plan Template.

This document, created by information security experts, lays out everything you need to complete your risk treatment plan.

It contains a risk management framework document, a risk management procedure and a risk treatment plan template document – all you have to do is customise it to your requirements.

You’ll also receive guidance notes in the framework and procedure documents, as well as examples of risk treatment plans, to ensure your documentation remains on track.

2 Comments

  1. Satya 10th May 2019
    • Luke Irwin 10th May 2019