I was sitting across from a frustrated IT Director at a pharmaceutical company in 2020 when he pushed a 47-page risk register across the table and said, "We've identified 312 risks. Now what? Do we fix all of them? Where do we even start?"
This is the moment where most ISO 27001 implementations either transform into something brilliant or collapse into checkbox exercises that waste time and money. The difference? A properly structured risk treatment plan.
After guiding over 60 organizations through ISO 27001 certification, I've learned that risk assessment is only half the battle. The real magic—and the real challenge—happens in risk treatment. This is where you transform a list of scary possibilities into a strategic action plan that actually protects your organization.
Let me show you how to do it right.
What ISO 27001 Actually Says About Risk Treatment (And What It Means)
ISO 27001 Clause 6.1.3 requires organizations to define and apply a risk treatment process. Sounds simple, right? But here's what fifteen years in the field has taught me: the standard tells you what to do, but not how to do it well.
The standard requires that your risk treatment plan includes:
Risk treatment options selected
Controls needed to implement the options
Responsibilities for implementing the plan
Required resources
Performance measures
Verification methods
But that's just the skeleton. Let me show you how to put flesh on these bones.
"A risk register without a treatment plan is like a medical diagnosis without a prescription—it tells you what's wrong but does nothing to fix it."
The Four Risk Treatment Options (And When to Actually Use Each)
ISO 27001 gives you four options for treating risk. Most organizations I work with think they understand these, but they're actually applying them wrong. Let me break down each option with real scenarios.
Option 1: Risk Avoidance (Eliminate the Risk Entirely)
What it means: Stop doing the activity that creates the risk.
When to use it: When the risk outweighs the benefit, or when there's a simpler alternative.
I worked with a legal firm that was storing sensitive client documents on a third-party file-sharing service that kept having security incidents. Their risk assessment flagged this as high risk.
Their treatment? They didn't try to "secure" the insecure service. They avoided the risk entirely by migrating to a dedicated document management system designed for legal compliance. Cost more upfront, but eliminated an entire class of risks.
Real example from my consulting:
Risk: Unauthorized access to customer database through legacy FTP server
Treatment: Decommission FTP server entirely, migrate to SFTP with MFA
Result: Risk eliminated, not just reduced
Option 2: Risk Modification (Implement Controls to Reduce Risk)
What it means: Apply security controls to reduce likelihood or impact.
When to use it: When you need to continue the risky activity but can make it safer (this is the most common option).
This is where most of your work happens. A fintech startup I advised had high risk around unauthorized access to their production environment. They couldn't avoid the risk—developers needed access.
Their treatment plan included:
Implementing privileged access management (PAM)
Requiring MFA for all production access
Implementing session recording
Creating automated alerts for suspicious activities
Quarterly access reviews
Risk reduction: Likelihood dropped from "High" to "Low," impact stayed the same but with better detection and response.
Option 3: Risk Sharing (Transfer Risk to Third Parties)
What it means: Use insurance, outsourcing, or contracts to share the risk burden.
When to use it: When others can manage the risk better or cheaper than you can.
I helped an e-commerce company that was terrified of payment card breaches. Their risk treatment included:
Implementing a payment gateway (shared technical risk)
Purchasing cyber insurance (shared financial risk)
Using a PCI-compliant hosting provider (shared infrastructure risk)
Critical lesson: Risk sharing doesn't eliminate your responsibility. You still need controls, just fewer of them.
Option 4: Risk Retention (Accept the Risk)
What it means: Consciously decide to accept the risk without additional controls.
When to use it: When the cost of treatment exceeds the potential impact, or residual risk is acceptable.
Here's where organizations get nervous. "You want us to just... accept risk?" Yes, but intelligently.
A manufacturing client had a risk around physical security at a remote warehouse. Full biometric access control would cost $85,000. The warehouse stored raw materials worth $12,000 and had basic locks and cameras.
Treatment decision: Accept the risk with existing controls. Document the decision. Review annually.
Key point: Risk acceptance requires senior management approval in ISO 27001. This isn't the IT team making risk decisions—it's business leadership.
Building Your Risk Treatment Plan: The Framework That Actually Works
Let me share the framework I've refined over 15 years and hundreds of implementations. This turns a chaotic risk register into a strategic action plan.
Step 1: Risk Prioritization (The Part Everyone Gets Wrong)
Most organizations try to treat all risks equally. This is impossible and inefficient.
Here's the prioritization matrix I use:
Risk Level | Likelihood | Impact | Treatment Priority | Typical Timeline |
|---|---|---|---|---|
Critical | High | High | Immediate | 0-30 days |
High | High | Medium OR Medium | High | Urgent |
Medium | Medium | Medium OR Low | High | Normal |
Low | Low | Low OR Any | Low | Planned |
Real scenario: An insurance company I worked with had 187 identified risks. Using this matrix:
8 risks were Critical (immediate action)
23 risks were High (90-day plan)
89 risks were Medium (6-month plan)
67 risks were Low (annual review)
This turned an overwhelming list into a manageable roadmap.
"You can't boil the ocean. Prioritize ruthlessly, execute flawlessly on what matters most, and schedule the rest."
Step 2: Treatment Selection (The Decision Matrix)
For each risk, I use this decision framework:
Treatment Option | Best When | Cost Profile | Time to Implement | Residual Risk |
|---|---|---|---|---|
Avoid | Risk > Benefit | Variable | Fast | None |
Modify | Must continue activity | High | Slow | Low-Medium |
Share | Others more capable | Medium | Medium | Medium |
Accept | Cost > Benefit | Minimal | Immediate | Original Risk |
Case study from 2022: A healthcare provider had a critical risk around legacy medical devices that couldn't be patched.
Analysis:
Avoid: Replace all devices ($2.3M, 18 months) ❌ Too expensive
Modify: Network segmentation + monitoring ($180K, 3 months) ✅ Selected
Share: Cyber insurance ($45K/year) ✅ Added as supplement
Accept: Not acceptable for patient safety ❌
Result: Combined modification + sharing approach that was cost-effective and implementable.
Step 3: Control Selection (Picking the Right Tools for the Job)
ISO 27001 Annex A provides 93 controls across 14 categories. Here's how I map risks to controls:
Common Risk-to-Control Mapping
Risk Category | Relevant Annex A Controls | Implementation Priority |
|---|---|---|
Unauthorized Access | A.9 (Access Control), A.8 (Asset Management) | High |
Data Breaches | A.10 (Cryptography), A.13 (Communications Security) | Critical |
Malware/Ransomware | A.12 (Operations Security), A.16 (Incident Management) | Critical |
Insider Threats | A.7 (Human Resources), A.9 (Access Control) | High |
Third-Party Risks | A.15 (Supplier Relationships) | High |
Physical Security | A.11 (Physical and Environmental Security) | Medium |
Business Continuity | A.17 (Business Continuity) | High |
Compliance Violations | A.18 (Compliance) | High |
Real example: For a risk of "Unauthorized access to customer database," I implemented:
A.9.1.2: Access control policy (defines who gets access)
A.9.2.1: User registration and de-registration (lifecycle management)
A.9.3.1: Use of secret authentication information (password policy)
A.9.4.1: Information access restriction (need-to-know principle)
A.12.4.1: Event logging (audit trail)
A.12.4.3: Administrator logs (privileged access monitoring)
Step 4: Resource Allocation (The Reality Check)
This is where rubber meets road. Every control requires resources:
Resource Planning Template
Control ID | Control Name | Implementation Cost | Annual Maintenance | Personnel Required | Timeline |
|---|---|---|---|---|---|
A.9.1.1 | Access Control Policy | $5,000 (consulting) | $2,000 (review) | 40 hours (CISO) | 30 days |
A.12.1.1 | Operating Procedures | $15,000 (documentation) | $5,000 (updates) | 120 hours (IT Ops) | 60 days |
A.12.6.1 | Technical Vulnerability Mgmt | $45,000 (tool + setup) | $18,000 (licensing) | 20 hours/month (Security) | 45 days |
A.16.1.1 | Incident Response | $35,000 (plan + training) | $12,000 (drills) | 80 hours (IR Team) | 90 days |
Lesson from experience: I worked with a mid-sized company that enthusiastically selected 47 controls in their first treatment plan. Three months later, they'd implemented 8.
Why? They hadn't budgeted resources. We revised the plan to 22 controls over 12 months, properly resourced. They implemented all 22 on schedule.
"The best risk treatment plan is the one you actually implement, not the most comprehensive one that sits on a shelf."
The Risk Treatment Plan Document: What It Actually Needs
I've reviewed hundreds of risk treatment plans. The good ones share common elements. Here's the template I use:
Essential Components
1. Executive Summary
Number of risks identified
Risk distribution by severity
Treatment approach overview
Total investment required
Expected outcomes
2. Risk Treatment Decision Table
Risk ID | Risk Description | Current Risk Level | Treatment Option | Selected Controls | Responsible Owner | Budget | Timeline | Target Risk Level |
|---|---|---|---|---|---|---|---|---|
R-001 | Unauthorized database access | High (4x4=16) | Modify | A.9.1.1, A.9.2.1, A.9.4.1 | CISO | $45,000 | Q2 2024 | Low (2x4=8) |
R-002 | Ransomware infection | Critical (5x5=25) | Modify + Share | A.12.2.1, A.12.3.1, Cyber Insurance | CTO | $125,000 | Q1 2024 | Medium (3x4=12) |
R-003 | Physical theft of laptops | Medium (3x3=9) | Modify | A.11.1.1, A.11.2.9, A.8.1.3 | Facilities | $15,000 | Q3 2024 | Low (2x3=6) |
R-004 | Vendor data breach | High (4x4=16) | Share + Modify | A.15.1.1, A.15.2.1, Insurance | Legal | $30,000 | Q2 2024 | Medium (3x3=9) |
3. Implementation Roadmap
Here's a sample quarterly roadmap I created for a fintech client:
Q1 2024: Critical Risks (Foundation)
Implement MFA across all systems
Deploy EDR on all endpoints
Establish incident response plan
Purchase cyber insurance
Budget: $180,000
Q2 2024: High Risks (Core Security)
Implement SIEM solution
Deploy vulnerability scanning
Establish change management
Create BCP/DR plans
Budget: $225,000
Q3 2024: Medium Risks (Enhanced Protection)
Network segmentation
Data classification program
Security awareness training
Vendor risk assessments
Budget: $140,000
Q4 2024: Optimization & Maturity
Automated compliance monitoring
Advanced threat detection
Penetration testing
Management review and adjustment
Budget: $95,000
4. Success Metrics
Define how you'll measure effectiveness:
Metric | Baseline | Target | Measurement Method |
|---|---|---|---|
Mean Time to Detect (MTTD) | 23 days | <8 hours | SIEM analytics |
Unpatched Critical Vulnerabilities | 47 | 0 | Vulnerability scanner |
Users with MFA Enabled | 23% | 100% | IAM system reports |
Security Awareness Training Completion | 31% | 95% | LMS tracking |
Annual Penetration Test Findings | 18 high | <3 high | Pentest reports |
Common Mistakes I See (And How to Avoid Them)
After 15+ years, I can spot a failing risk treatment plan from a mile away. Here are the patterns:
Mistake 1: Treating Symptoms Instead of Root Causes
Bad approach: Risk = "Server compromised by malware" Treatment = "Install better antivirus"
Good approach: Risk = "Unauthorized code execution on production servers" Treatment =
Application whitelisting
Least privilege access
Network segmentation
Regular patching
Security monitoring
Real case: A logistics company kept treating malware infections as individual incidents. When we looked deeper, the root cause was excessive user privileges. One control (privilege management) eliminated 80% of their malware risks.
Mistake 2: Unrealistic Timelines
I reviewed a treatment plan that scheduled 63 controls for implementation in 90 days by a team of three people.
Reality check calculation:
63 controls × 40 hours average implementation = 2,520 hours
3 people × 90 days × 8 hours = 2,160 hours
They were already 360 hours short, assuming nobody took a day off and did nothing else
Fix: Stretch to 12 months, prioritize ruthlessly, or add resources.
Mistake 3: Ignoring Dependencies
You can't implement monitoring before you have logging. You can't have logging without systems to log. You can't secure systems you don't know exist.
Dependency mapping example:
Phase 1: Foundation (Prerequisites for everything else)
→ Asset inventory (A.8.1.1)
→ Asset ownership (A.8.1.2)Mistake 4: The "Set and Forget" Approach
A manufacturing client implemented their risk treatment plan beautifully in 2019. When I returned for their 2021 surveillance audit, nothing had been reviewed or updated.
Problem: Their risk landscape had completely changed (cloud migration, remote work, new regulations), but their controls hadn't.
Solution: Schedule quarterly reviews:
Q1: Review critical and high risks
Q2: Assess control effectiveness
Q3: Update risk register for changes
Q4: Plan next year's treatments
Advanced Risk Treatment Strategies
Once you've mastered the basics, here are advanced techniques I use with mature organizations:
Strategy 1: Risk Aggregation
Instead of treating each risk individually, group related risks and implement controls that address multiple risks simultaneously.
Example: A healthcare provider had 15 separate risks related to unauthorized access. Instead of 15 separate treatment plans, we implemented:
Unified Identity Management (addressed 8 risks)
Zero Trust Architecture (addressed 11 risks)
Comprehensive Monitoring (addressed 12 risks)
Result: Three strategic initiatives eliminated or significantly reduced all 15 risks more effectively than 15 point solutions.
Strategy 2: Control Optimization
Look for controls that provide maximum risk reduction with minimum cost.
Control Type | Risk Reduction | Implementation Cost | Cost/Effectiveness Ratio |
|---|---|---|---|
MFA Implementation | 85% reduction in access-related risks | $15,000 | 5.7 |
Security Awareness Training | 70% reduction in phishing risks | $8,000 | 8.8 |
Automated Patching | 90% reduction in vulnerability risks | $45,000 | 2.0 |
Physical Security Upgrade | 40% reduction in theft risks | $85,000 | 0.5 |
Insight: MFA and training are high-value investments. Physical upgrades may not be worth the cost for this organization.
Strategy 3: Continuous Treatment
Rather than annual risk treatment plans, implement continuous risk treatment:
Traditional approach:
Annual risk assessment
Create treatment plan
Implement over 12 months
Repeat
Continuous approach:
Ongoing risk monitoring
Quarterly treatment adjustments
Agile control implementation
Real-time risk response
I implemented this with a technology company. They:
Monitor risk indicators daily
Review and adjust treatments monthly
Implement quick wins within 2 weeks
Track effectiveness in real-time
Result: Average time from risk identification to treatment dropped from 4 months to 2 weeks.
Real-World Risk Treatment Plan: Complete Example
Let me show you a sanitized version of an actual risk treatment plan I created for a mid-sized SaaS company (75 employees, $12M ARR):
Company Profile
Industry: Healthcare SaaS
Data: Patient health information (PHI)
Compliance needs: HIPAA, SOC 2, ISO 27001
Security maturity: Basic (firewalls, antivirus, basic access controls)
Top 10 Risks Identified
Risk ID | Description | Likelihood | Impact | Current Level | Treatment Priority |
|---|---|---|---|---|---|
R-001 | Unauthorized PHI access | High (4) | Critical (5) | 20 - Critical | 1 |
R-002 | Ransomware encryption of production DB | Medium (3) | Critical (5) | 15 - High | 2 |
R-003 | Loss of customer data (no backups) | Medium (3) | Critical (5) | 15 - High | 3 |
R-004 | AWS misconfiguration exposure | High (4) | High (4) | 16 - High | 4 |
R-005 | Phishing compromise of admin accounts | High (4) | High (4) | 16 - High | 5 |
R-006 | Vendor data breach | Medium (3) | High (4) | 12 - Medium | 6 |
R-007 | Code vulnerability exploitation | Medium (3) | Medium (3) | 9 - Medium | 7 |
R-008 | Physical device theft | Low (2) | Medium (3) | 6 - Low | 8 |
R-009 | Insider data exfiltration | Low (2) | High (4) | 8 - Medium | 9 |
R-010 | DDoS service interruption | Low (2) | Medium (3) | 6 - Low | 10 |
Treatment Plan Summary
R-001: Unauthorized PHI Access
Treatment: Modify (implement multiple controls)
Controls:
A.9.1.2: Access control policy
A.9.2.1: User access provisioning
A.9.2.3: Management of privileged access
A.9.4.1: Information access restriction
A.12.4.1: Event logging
Owner: CISO
Budget: $55,000 (PAM solution + implementation)
Timeline: 60 days
Target Risk: Medium (2×5=10)
R-002: Ransomware Encryption
Treatment: Modify + Share
Controls:
A.12.2.1: Malware protection
A.12.3.1: Information backup
A.16.1.1: Incident response
Cyber insurance policy
Owner: CTO
Budget: $85,000 (EDR, backup solution, insurance)
Timeline: 45 days (critical priority)
Target Risk: Low (2×4=8)
R-003: Data Loss
Treatment: Modify
Controls:
A.12.3.1: Information backup
A.17.1.2: Business continuity implementation
A.17.1.3: Verify, review, evaluate
Owner: Infrastructure Lead
Budget: $35,000 (automated backup + DR site)
Timeline: 30 days (critical priority)
Target Risk: Low (1×5=5)
Implementation Timeline
Months 1-2 (Critical Risks)
Deploy EDR solution across all endpoints
Implement automated backup with offsite replication
Deploy PAM for privileged access
Purchase and activate cyber insurance
Budget: $175,000
Months 3-4 (High Risks)
AWS security review and remediation
Implement MFA for all users
Deploy phishing simulation training
Establish incident response plan
Budget: $95,000
Months 5-6 (Medium Risks)
Vendor risk assessment program
SAST/DAST implementation
DLP solution deployment
Budget: $125,000
Total Investment: $395,000 over 6 months Expected Outcome: Reduce critical risks by 80%, high risks by 70%
"A risk treatment plan isn't about eliminating all risk—that's impossible. It's about making conscious, documented decisions about which risks you'll reduce, which you'll accept, and which you'll transfer."
Making It Stick: Risk Treatment Plan Governance
The best treatment plan in the world is worthless without proper governance. Here's the structure I recommend:
Governance Framework
Role | Responsibility | Frequency |
|---|---|---|
Risk Owner | Monitor risk indicators, report changes | Weekly |
Control Owner | Implement and maintain controls | Ongoing |
Security Team | Verify control effectiveness | Monthly |
Management | Review risk treatment status | Quarterly |
Executive Leadership | Approve risk acceptance decisions | As needed |
Board of Directors | Oversee risk management program | Annually |
Monthly Risk Treatment Meeting Agenda
I run these meetings with all my clients:
Control Implementation Status (15 min)
What's complete?
What's delayed and why?
Resource issues?
Control Effectiveness Review (20 min)
Metrics review
Incident analysis
Gap identification
New/Changed Risks (15 min)
Environment changes
New threats
Business changes
Treatment Plan Adjustments (10 min)
Reprioritization
Resource reallocation
Timeline updates
Real impact: A fintech client implemented these monthly meetings. In the first year:
Caught 3 control failures before they became incidents
Identified and treated 8 new risks before they materialized
Accelerated implementation by 40% through better coordination
The Truth About Risk Treatment Maturity
After working with organizations from startup to Fortune 500, I've noticed clear maturity stages:
Level 1: Reactive (Most organizations start here)
Risk treatment happens after incidents
No formal plan or process
Inconsistent implementation
No measurement
Level 2: Planned (First ISO 27001 certification)
Annual risk assessment
Documented treatment plan
Basic implementation
Manual tracking
Level 3: Managed (2-3 years post-certification)
Quarterly risk reviews
Integrated with change management
Automated controls where possible
Effectiveness metrics
Level 4: Optimized (Mature organizations)
Continuous risk monitoring
Predictive risk treatment
Automated response to common risks
Business-integrated risk decisions
The journey: Most organizations take 2-3 years to move from Level 2 to Level 3. The jump to Level 4 typically takes another 3-5 years and significant investment.
Is Level 4 necessary? Not for everyone. A 50-person company doesn't need the same sophistication as a global bank. Match your maturity to your risk profile and resources.
Your Next Steps: Making This Actionable
If you're building or improving your risk treatment plan, here's what to do next:
Week 1: Assessment
Review your current risk register
Identify untreated or inadequately treated risks
Assess resource availability
Get management buy-in on timeline and budget
Week 2: Prioritization
Apply the prioritization matrix
Focus on critical and high risks first
Create a realistic timeline
Identify dependencies
Week 3-4: Planning
Select treatment options for top 10-20 risks
Map to specific Annex A controls
Assign ownership
Allocate budget and resources
Month 2-6: Implementation
Execute treatment plan by priority
Track progress weekly
Adjust based on reality
Measure effectiveness
Ongoing: Governance
Monthly treatment review meetings
Quarterly risk reassessment
Annual comprehensive review
Continuous improvement
Final Thoughts: The Risk Treatment Mindset
Let me leave you with something I tell every client when we start this journey:
Risk treatment isn't about achieving zero risk. That's impossible and prohibitively expensive. It's about making smart, documented decisions that balance security, cost, and business needs.
The best risk treatment plans I've seen share three qualities:
They're realistic - built around actual resources and capabilities
They're flexible - designed to adapt as risks and business change
They're business-aligned - focused on protecting what actually matters
I started this article with an IT Director staring at 312 risks, paralyzed by choice. We spent three days building a prioritized risk treatment plan. Six months later, they'd implemented controls addressing the top 47 risks, reducing their overall risk exposure by 73%.
A year after that, they achieved ISO 27001 certification with zero non-conformities in risk treatment.
That's the power of a well-executed risk treatment plan—it transforms overwhelming complexity into manageable progress.
Don't let perfect be the enemy of good. Start with your biggest risks, implement the most effective controls, measure your progress, and improve continuously.
Because in cybersecurity, the best time to treat a risk was yesterday. The second-best time is today.