Information security risk plan

It is the requirement to decide how to handle identified risks by selecting treatment options, determining necessary controls, producing a Statement of Applicability (SoA), and formulating a plan to implement those controls.

The four standard options are: 1) Mitigate (apply controls to reduce risk), 2) Accept (retain the risk), 3) Avoid (stop the activity causing the risk), and 4) Transfer (share risk via insurance or contracts).

For each risk you choose to mitigate, document the specific action to be taken, the person responsible (owner), the required resources, the target completion date, and how effectiveness will be measured. In practice, it helps to manage these actions like deliverables with owners, reminders, and an evidence trail; for example, WatchDog Security's Risk Register can track treatment tasks, due dates, approvals, and residual risk over time.

The Statement of Applicability (SoA) is a mandatory document that lists all Annex A controls, states whether they are applicable to your organization, and provides the justification for their inclusion or exclusion.

After determining the controls needed to treat your specific risks, you map them against the list in Annex A (A.5-A.8) to verify that no necessary industry-standard controls have been overlooked.

Risk assessment (Clause 6.1.2) identifies and evaluates the risks (diagnosis), whereas risk treatment (Clause 6.1.3) determines the specific actions to address those risks (remedy).

Selection involves balancing the cost and effort of implementing a control against the potential impact of the risk, while ensuring the residual risk falls within the organization's acceptance criteria.

Required documentation includes the Risk Treatment Process, the Risk Treatment Plan, the Statement of Applicability (SoA), and records of risk owners' approval of the plan. Many teams also maintain an evidence trail showing treatment progress and final effectiveness checks; for example, WatchDog Security's Compliance Center can centralize the SoA, treatment artifacts, and related evidence to support audit readiness.

In practice, SoAs get stale when infrastructure, SaaS usage, and processes change faster than the documentation. A GRC platform helps by tying each Annex A control to owners, evidence, and change triggers so updates are easier to spot and audit trails stay intact. For example, WatchDog Security's Compliance Center can track SoA applicability decisions alongside control status and evidence, making it simpler to keep the SoA current between audits.

Risk treatment plans often fail due to unclear ownership, missed due dates, and lack of measurable completion criteria. A structured workflow helps by assigning owners, setting deadlines, capturing approvals, and recording evidence of completion and effectiveness checks. For example, WatchDog Security's Risk Register can track treatment actions, residual risk decisions, and approvals over time so you can demonstrate progress and sign-off history during an ISO 27001 audit.