Information security risk treatment
Plain English Translation
Clause 8.3 is the operational counterpart to the planning done in Clause 6.1.3. While Clause 6 focuses on deciding how to handle risks (mitigate, accept, transfer, avoid), Clause 8.3 requires the organization to execute those decisions. You must implement the specific controls and actions defined in your Risk Treatment Plan and keep evidence (logs, tickets, reports) showing that the treatment was actually applied and is working.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Track risk remediation tasks in a simple spreadsheet or Kanban board
- Mark risks as 'Closed' only when evidence (e.g., a screenshot) is saved
- Review open risk treatments monthly with the CTO
Required Actions (scaleup)
- Link risk treatment tickets (Jira/Linear) directly to the Risk Register
- Require 'Risk Owner' sign-off before closing a treatment task
- Conduct quarterly reviews to ensure treatment plans are on schedule
Required Actions (enterprise)
- Automate evidence collection for risk treatment using a GRC platform
- Integrate risk treatment status into executive dashboards
- Trigger automated alerts when risk treatment deadlines are missed
Clause 8.3 mandates the actual execution of the Risk Treatment Plan defined in Clause 6.1.3. It requires organizations to implement selected controls and retain evidence of the results.
You implement it by executing the actions listed in your Risk Treatment Plan—such as deploying new software, writing policies, or conducting training—and ensuring the Risk Owner verifies completion. WatchDog Security's Risk Register can help track each treatment action to an owner, deadline, and evidence, so closure is based on documented results rather than status updates alone.
It should include the risk being addressed, the selected treatment option (mitigate, transfer, accept, avoid), the specific actions to be taken, the resources required, the deadline, and the responsible owner.
Risk treatment must be documented continuously as actions are completed. Clause 8.3 explicitly requires the organization to 'retain documented information of the results' of the treatment. WatchDog Security's Compliance Center can help by mapping treatment actions to evidence requirements and keeping a time-stamped record of completed tasks and supporting artifacts.
Common controls include those listed in Annex A, such as Access Control (A.5.15), Information Security Awareness (A.6.3), Malware Protection (A.8.7), and Backup (A.8.13).
Results should be reviewed at planned intervals (e.g., quarterly risk reviews) or whenever significant changes occur (Clause 8.2) to ensure the treatment remains effective.
Risk Assessment (Clause 8.2) identifies and evaluates the risks. Risk Treatment (Clause 8.3) involves taking specific actions to fix, reduce, or manage those risks.
Compliance is demonstrated by showing auditors the Risk Treatment Plan and the corresponding evidence (logs, screenshots, signed documents) that proves the planned actions were actually completed.
Risk treatment often fails in execution because tasks, owners, evidence, and due dates live in different places. WatchDog Security's Compliance Center can centralize treatment activities by linking controls and treatment tasks to required evidence, highlighting gaps, and keeping an audit-ready trail of what was implemented and when.
Auditors typically want to see a clear chain from risk decision to implemented change to proof of effectiveness. WatchDog Security's Secure File Sharing can help by storing and sharing sensitive evidence (screenshots, exports, approvals) with access controls and audit logs, so risk owners can provide verifiable documentation without emailing files around.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2025-05-27 | WatchDog Security GRC Team | Initial publication |
