Live Webinar | 26 June 2025 9AM PT
From Black Box to Boardroom: Operationalizing Trust in AI Governance
Glossary
ISO 27001

ISO 27001 Risk Treatment Plan

A risk treatment plan is the second step in the overall risk management process and is usually introduced when the company completes the ISO 27001 risk assessment. While risk assessment is the process of assessing the potential risk, a risk treatment plan includes documenting the actions required to address each risk identified during the assessment process. There are four established risk treatment options that most companies select from when it comes to managing the identified risk. These are acceptance, mitigation, transfer, and avoidance.

The following elements are part and parcel of a certified risk treatment plan.  

  1. A summary providing details of every identified risk
  2. Specifying the responses that have been chosen for the glossary- ISO 27001 Risk Treatment Plan for each risk
  3. Assigning an owner for each identified risk. This includes identifying who is accountable for the assessed risks and mentioning them.
  4. Specify the designated risk mitigation activity owners assigned the duty of performing tasks to address these identified risks.
  5. A set target completion date for evaluating the effectiveness of risk treatment activities.

This treatment plan helps the company decide which controls are beneficial to assess and tackle risks. Annex A under ISO 27001 is considered an ideal starting point since it contains 114 controls, divided into 14 domains. Each domain is tailored to serve a specific category of information security.

Subscribe to our newsletter
Get monthly updates and curated industry insights
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Terms

ISO 27001 Stage 2 Audit

Also known as the Certification audit, the ISO 27001 Stage 2 Audit is the second step of the two-step external ISO certification process. It follows after the Stage 1 Audit is successfully completed.

Learn More
ISO 27001 Risk Treatment Plan

A risk treatment plan is the second step in the overall risk management process and is usually introduced when the company completes the ISO 27001 risk assessment.

Learn More
ISO 27001 Risk Assessment

Risk Assessment under ISO 27001 aims to help an organization or entity identify, analyze, and evaluate the weaknesses or loopholes present in its information security system (ISMS) and its processes and procedures.

Learn More

Explore more resources

Scrut innovations: June 2025 snapshot
Learn More
ISO 27001 policy requirements: Complete list and how to write them
Learn More
Scrut innovations: June 2025 snapshot

Learn More

Ready to see what security-first GRC really looks like?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo
Platform
Why ScrutExplore the PlatformSimplify ComplianceStreamline AuditsEmpower Your EmployeesMonitor Cyber RiskAssess Third-Party RiskValidate User PrivilegesManage Asset InventoryDemonstrate TrustAI-Powered GRCIntegrate Your Tech Stack
Frameworks
SOC 2ISO 27001GDPRPCI DSSHIPAANIST AI RMFCustom FrameworksAll Frameworks
Company Stages
StartupGrowthEnterprise
Industry
Enterprise SoftwareFinancial ServicesHealthcareTravel and TourismEducation
Resources
BlogEbooksPodcastSuccess StoriesWebinarsEventsGlossaryFAQs
Hubs
SOC 2 HubISO 27001 HubHIPAA HubExplore All Hubs
Partners
Become a PartnerFind a Partner
Company
CustomersAboutCareersNewsroomSecurity
TrustTerms of UsePrivacy PolicyCookies Policy
© 2025 Scrut Automation. All Rights Reserved.