Risk Treatment
Definition
Risk treatment is the structured process of deciding how an organization will address identified risks and implementing the actions needed to bring those risks to an acceptable level. In ISO/IEC 27001, risk treatment follows information security risk assessment and is used to select a treatment option (avoid, modify/mitigate, share/transfer, or retain/accept), choose appropriate controls, and define a plan to implement them. A risk treatment decision typically considers business objectives, legal and contractual obligations, feasibility, cost, and the organization’s risk appetite and risk acceptance criteria. The output is commonly documented in a risk treatment plan with owners, timelines, and evidence, and supported by a Statement of Applicability that records which controls are selected, why, and how they are implemented. Risk treatment does not eliminate risk entirely; it reduces likelihood and/or impact and results in residual risk that must be evaluated and explicitly accepted by authorized stakeholders. Equivalent concepts in other governance and security programs are often called risk response, risk remediation, or risk response planning.
Real-World Examples
Startup: Treat account takeover risk
A SaaS startup identifies a high risk of credential stuffing. It treats the risk by implementing MFA, rate limiting, stronger password controls, and monitoring, then records residual risk and acceptance criteria.
Scaleup: Reduce cloud data loss risk
A scaleup treats data loss risk by adding automated backups, immutable storage, and tested restore procedures, and shares part of the financial exposure through insurance and contractual terms.
Enterprise: Address third-party outage risk
An enterprise treats supplier outage risk by implementing multi-vendor redundancy, strengthening SLAs, and creating failover playbooks; it may avoid the risk by exiting a high-risk provider.
Risk treatment is the process of choosing how to address a risk and implementing actions to reduce it to an acceptable level, then evaluating and approving the remaining (residual) risk.
Common options include avoiding the activity, mitigating by reducing likelihood or impact, transferring/sharing through contracts or insurance, and accepting/retaining the risk within approved criteria.
Define the chosen treatment option, select controls, assign owners, set timelines and milestones, identify required resources, and specify evidence and metrics to demonstrate completion and effectiveness.
Risk treatment is the overall decision and action plan for a risk (including accept, transfer, or avoid), while mitigation is a specific treatment approach focused on reducing likelihood and/or impact.
Accept a risk when it falls within defined acceptance criteria and risk appetite, mitigation is not cost-effective or feasible, and an authorized approver explicitly accepts the residual risk.
A risk owner is accountable for treatment actions, while approval typically comes from management with delegated authority based on impact thresholds, ensuring decisions align with risk appetite and governance.
Residual risk is the remaining risk after controls are implemented. Assess it by re-evaluating likelihood and impact, validating control operation, and confirming it meets acceptance criteria for formal approval.
Prioritize by severity (likelihood x impact), regulatory or contractual urgency, business criticality, and dependency risk, then sequence actions based on effort, time-to-reduce-risk, and resource constraints.
Record the risk, selected option, rationale, chosen controls, owners, due dates, evidence links, and approvals, and maintain a clear trail of residual risk evaluation and acceptance decisions.
Review at defined intervals and whenever significant changes occur (systems, suppliers, incidents, or threats), updating status, evidence, and residual risk assessments to keep decisions current and defensible.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
