ISO-STANDARD.app

ISO 27001 risk treatment plan

The risk treatment plan is where the assessment becomes action. Here's how to apply the four Ts, map each risk to Annex A controls, and produce a plan auditors actually accept.

What clause 6.1.3 actually requires

ISO 27001 clause 6.1.3 says: for every unacceptable risk identified in your assessment, choose a treatment option, determine the controls needed, compare those controls to Annex A, produce a Statement of Applicability, and get the risk owners to approve the plan and accept the residual risk. The risk treatment plan is the document that ties all of that together.

The four Ts

  • Treat — apply controls to reduce likelihood, impact, or both. The most common option for security risks.
  • Transfer — move the risk to a third party via insurance, contract clauses, or outsourcing. The risk does not disappear; ownership shifts.
  • Tolerate — formally accept the residual risk. Requires written sign-off from a risk owner with authority commensurate with the impact.
  • Terminate — stop the activity that creates the risk. Underused — sometimes the right answer is to retire the system.

A five-step path to a working plan

Step 1

Start from your prioritised risk register

Only risks above your acceptance threshold need a treatment decision. Everything below can be tolerated by default, with the threshold itself approved by management.
Step 2

Pick one of the four Ts per risk

Write the choice and the rationale in one or two sentences. "Treat — likelihood is the driver, add MFA and conditional access" beats "Implement security controls".
Step 3

Map the treatment to Annex A controls

For each Treat decision, list the Annex A:2022 controls you are applying — e.g. A.5.17 (authentication information), A.8.5 (secure authentication), A.5.7 (threat intelligence). This mapping is what feeds the Statement of Applicability.
Step 4

Set owner, target residual, and due date

A treatment without an owner is a wish. A treatment without a target residual score is unauditable. A treatment without a due date never ships.
Step 5

Get sign-off and review on a cadence

Risk owner approves the treatment; senior management approves the residual risk. Review the plan at least annually and whenever a risk's likelihood or impact materially changes.

A worked example

Risk: Phishing of staff credentials leads to account takeover (inherent 5×4 = 20).
Treatment: Treat. Driver is likelihood.
Annex A controls: A.5.17, A.8.5, A.6.3 (information security awareness), A.8.16 (monitoring activities).
Owner: Head of IT. Target residual: 2×3 = 6. Due: 90 days. Residual accepted by: CISO.

A treatment plan that writes itself

ISO-STANDARD.app links every risk to Annex A controls, treatment decisions, owners and target residual scores in one place — and exports the treatment plan and Statement of Applicability auditors expect.

ISO-STANDARD.app ships a ready-to-adopt ISO 27001 workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.

Start free See pricingTalk to us

Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.

Frequently asked questions

What is a risk treatment plan?
A documented decision, per risk, of which of the four Ts you will apply (Treat, Transfer, Tolerate, Terminate), the controls you will implement, the owner, the target residual score and the due date. ISO 27001 clause 6.1.3 makes it a mandatory output of risk assessment.
What are the four Ts of risk treatment?
Treat — reduce likelihood or impact with controls. Transfer — share or shift the risk (insurance, contracts, outsourcing). Tolerate — formally accept the risk where treatment cost exceeds benefit. Terminate — stop the activity that creates the risk.
How does the treatment plan connect to Annex A?
Every Treat decision should name the Annex A controls you are applying. The Statement of Applicability then justifies which Annex A controls are in or out of scope, with a back-reference to the treatment plan.
Who signs off the treatment plan?
The risk owner approves the choice of treatment; senior management (usually the ISMS manager and a board sponsor) approves residual risk acceptance. Both signatures are required evidence at certification.
← Back to FAQHome →