Glossary · Compliance concepts

What is Risk Treatment?

Also known as: Risk treatment plan, Risk response

Risk treatment is the process of deciding how to handle each risk identified in a risk assessment, by mitigating, accepting, transferring, or avoiding it. Whatever risk remains after treatment is the residual risk. The decisions are recorded in a risk treatment plan that drives control selection.

Key takeaways

  • Risk treatment chooses one of four responses for each risk: mitigate, accept, transfer, or avoid.
  • Mitigation usually means applying controls; transfer often means insurance or contracts.
  • What remains after treatment is the residual risk, which must be formally accepted.
  • Treatment decisions drive which Annex A controls are marked applicable in the Statement of Applicability.
  • The decisions are captured in a documented risk treatment plan.

What risk treatment is

Risk treatment is the step that follows a risk assessment. Once risks are identified and scored, the organization decides what to do about each one. Treatment turns analysis into action and is where security investment is actually justified.

For every risk above the acceptance threshold, the organization chooses a response. The choice depends on the risk's severity, the cost of addressing it, and the organization's appetite for risk.

The decisions are documented in a risk treatment plan, which records the chosen response, the controls or actions involved, the owner, and the expected outcome.

The four treatment options

There are four standard ways to treat a risk:

  • Mitigate (or modify): apply controls to reduce likelihood or impact
  • Accept (or retain): consciously tolerate the risk, usually for low-severity ones
  • Transfer (or share): shift some of the risk to a third party, such as via insurance or a contract
  • Avoid: eliminate the risk by stopping the activity that creates it

Mitigation is the most common response and is where Annex A controls come in: the controls selected to reduce a risk are marked applicable in the Statement of Applicability. Where a preferred control is impractical, a compensating control can substitute.

Residual risk and ownership

No treatment reduces a risk to zero. The portion that remains after controls are applied is the residual risk. ISO 27001 expects this residual risk to be formally acknowledged and accepted by a designated risk owner, typically at a management level appropriate to its severity.

Ownership matters because accepting residual risk is a business decision, not a technical one. The person who accepts it should have the authority to do so on the organization's behalf.

In an audit, the certification body checks that treatment decisions are documented, that residual risks are formally accepted, and that the treatment plan aligns with the controls actually in place. A treatment plan disconnected from the real environment is a finding.

Frequently asked questions

What does it mean to accept a risk?
Accepting a risk means consciously deciding to tolerate it rather than spend resources reducing it further, usually because it is low severity or treatment would cost more than the risk warrants. The acceptance should be documented and owned.
Is risk transfer the same as eliminating a risk?
No. Transfer shifts some financial or operational consequence to a third party, such as an insurer, but the organization usually retains accountability and some residual exposure. Only avoidance eliminates the risk entirely.
How does risk treatment connect to the Statement of Applicability?
Treatment decisions determine which controls you apply, and those controls are recorded as applicable in the Statement of Applicability. The two documents should tell a consistent story.
Who is allowed to accept residual risk?
A designated risk owner with appropriate authority, typically at a management level matched to the risk's severity, since accepting residual risk is a business decision rather than a technical one.

Authoritative sources

← Back to the glossary