Definition

Risk treatment

Risk treatment is the process of selecting and implementing options to modify the identified risk level.

According to ISO 31000, risk treatment involves selecting one or more options to modify risks and implementing those options. The four fundamental options are: avoid the risk, modify likelihood or consequence, share the risk, or retain the risk informed.

Key aspects

Four options

Avoid (eliminate activity), modify (implement controls), share (transfer to third parties or insurance) and retain (consciously accept).

Treatment plan

Each treated risk requires a documented plan with responsible person, deadline, resources and effectiveness criteria.

Residual risk

After treatment, residual risk must be within the organization's risk appetite. If not, additional treatment is required.

Frequently asked questions

Modifying risk through controls is the most frequent option. In information security, this translates to implementing ISO 27001 Annex A controls.

The decision to retain a risk must be approved by whoever has authority over that risk level, usually top management or the designated risk owner.

Comparison

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

Risk treatment

Key aspects

Four options

Treatment plan

Residual risk

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Risk treatment

Key aspects

Four options

Treatment plan

Residual risk

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Risk treatment

Key aspects

Four options

Treatment plan

Residual risk

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Risk treatment

Key aspects

Four options

Treatment plan

Residual risk

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?