Risk Treatment Plan and risk treatment process – What’s the difference?
Risk Treatment Plan is one of the key documents in ISO 27001, however it is very often confused with the documentation that is produced as the result of a risk treatment process. Here’s the difference:
Risk treatment process
Risk treatment is a step in the risk management process that follows the risk assessment step – in the risk assessment all the risks need to be identified, and risks that are not acceptable must be selected. The main task in the risk treatment step is to select one or more options for treating each unacceptable risk, i.e. decide how to mitigate all these risks. Four risk treatment options exist (for complete risk management process, please read ISO 27001 risk assessment & treatment – 6 basic steps):
- Apply security controls from Annex A to decrease the risks – see this article ISO 27001 Annex A controls.
- Transfer the risk to another party – e.g. to an insurance company by buying an insurance policy.
- Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion.
- Accept the risk – if, for instance, the cost of mitigating that risk would be higher that the damage itself.
Risk treatment is usually done in a form of a simple sheet, where you link mitigation options and controls with each unacceptable risk; this can also be done with a risk management tool, if you use one. According to ISO 27001, it is required to document the risk treatment results in the Risk assessment report, and those results are the main inputs for writing Statement of Applicability. This means that results of risk treatment are not directly documented in Risk Treatment Plan.
Risk Treatment Plan
So, where is the Risk Treatment Plan in this whole process? The answer is: it can be written only after Statement of Applicability is finished.
Why is this so? To start thinking about Risk Treatment Plan, it would be easier to think of it is an “Action plan” where you need to specify which security controls you need to implement, who is responsible for them, what are the deadlines, and which resources (i.e. financial and human) are required. But in order to write such a document, first you need to decide which controls need to be implemented, and this is done (in a very systematic way) through Statement of Applicability.
The question is – why didn’t ISO 27001 require the results from risk treatment process to be documented directly in the Risk Treatment Plan? Why was this step in between needed, in the form of Statement of Applicability? My opinion is that the authors of ISO 27001 wanted to encourage companies to get a comprehensive picture of information security – when deciding which controls are applicable in Statement of Applicability and which are not, the result of risk treatment is not the only input – other inputs are legal, regulatory and contractual requirements, other business needs, etc. In other words, SoA serves as a kind of a checklist that takes a global view of the organization, and Risk Treatment Plan wouldn’t be complete without such a check.
To conclude – Risk Treatment Plan is the point where theory stops, and real life begins according to ISO 27001. Good risk assessment and risk treatment process, as well as comprehensive Statement of Applicability, will produce very usable action plan for your information security implementation; skip some of these steps and Risk Treatment Plan will only confuse you.
Click here to see a sample Risk Treatment Plan.