ISO 27001 risk treatment plan: How to develop the right one

What is a Risk Treatment Plan?

A risk treatment plan is an essential part of your information security program. It's a comprehensive plan for implementing controls to reduce the likelihood or impact of risks.

Implementation is the critical component of a risk treatment plan. A risk treatment plan is designed to help ensure that risk treatment processes are actually taking place.

How does a Risk Treatment Plan fit into ISO 27001?

ISO 27001 is an international standard from the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 defines best practices for implementing and managing controls in an information security management system (ISMS). It's part of the ISO 27000 family, which focuses on the security of assets like:

• Financial information
• Intellectual property
• Employee and customer data
• Data from third parties

ISO 27001 Risk Management Process

The risk management process under ISO 27001 has six primary phases.

First, you need to determine your risk assessment methodology. You need the entire organisation to perform risk assessments the same way. Risk assessment methods include factors like:

• Whether to use quantitative or qualitative measurements
• Scales for qualitative assessments
• Acceptable levels of risk

The second step is a risk assessment. You create an inventory of your assets and identify the threats and vulnerabilities that could affect them. Then, you determine the likelihood of each risk to calculate the risk level.

The third step is choosing a risk treatment option for each unacceptable risk. The most common ways to mitigate risk are:

• Avoid the risk by stopping specific tasks or processes
• Decrease the risk by using controls and safeguards
• Share the risk by transferring it to a third party like an insurance company
• Accept the risk if the cost of mitigating it is higher than the damage that would occur

Fourth, you need to document your risk assessment and treatment. This documentation is for auditors when you apply for ISO 27001 certification. It's also for your organisation's internal use, helpful for tracking your progress or reviewing your risk management methods.

Fifth, you create a statement of applicability (SoA). This document forms the main framework for your certification audit. It lists all the controls you will apply, why you chose those controls, and whether they're implemented yet.

Finally, you make the risk treatment plan. This step in the process moves from theory to implementation. It's an implementation plan or an action plan for the controls you want to apply.

Which risks need a Risk Treatment Plan?

You don't necessarily need a risk treatment plan for every risk you identified in your risk assessment. Your organisation may decide not to prioritise low-level risks. High-level risks must have a treatment plan, though.

The risk assessment phase of ISO 27001 is crucial for determining which risks need treatment. Risk assessment evaluates the likelihood and the consequences of each risk.

You can use various types of scales to assess the level of risk. Examples include low-medium-high or a scale of 1 to 10.

A more straightforward risk assessment approach is often enough for smaller organisations. Larger organisations can benefit from a more detailed assessment. This helps ensure you're prioritising the most critical risks without becoming overwhelmed.

What does an ISO 27001 Risk Treatment Plan include?

An ISO 27001 risk treatment plan should include information such as:

• Summaries of each risk you identified
• Which controls or other activities you plan to implement
• Who is responsible for the implementation
• When are the deadlines for risk treatment activities
• Which human and financial resources are necessary for the implementation
• How you will judge if the implementation was successful

Mitigating some risks may be a longer-term project than other risks. Your risk treatment plan can show that the work is in progress. You can document your steps and interim measures.

ISO 27001 Controls for Risk Treatment

Decreasing the risks is usually the most common choice of the four risk treatment options. The controls in ISO 27001 Annex A provide ways to reduce risks. The implementation strategy for these controls forms most of your risk treatment plan.

The current 2013 version of Annex A has 114 controls organised into 14 category domains. The previous version had 133 controls.

You must consider the controls in Annex A. You aren't limited to those options, though. Your organisation can use other techniques if your analysis shows they're better suited to your situation.

Sections in Annex A

Annex A has 14 domains. IT controls are a significant emphasis. Unlike some other information security standards, though, the ISO 27001 controls go beyond IT.

The sections focus on five main areas:

• IT
• Organisational issues
• Human resources
• Physical security
• Legal issues

The IT-related domains include:

• A.9, Access control
• A.10, Encryption and key management
• A.12, Operational security
• A.13, Communications security
• A.14, System acquisition, development, and maintenance
• A.16, Information security incident management
• A.17, Information security aspects of business continuity management

The sections focusing on organisational issues are:

• A.5, Information security policies
• A.6, Organisation of information security
• A.8, Asset management
• A.15, Supplier relationships

Domain A.7 addresses human resources security. Physical and environmental security make up section A.11. And legal issues are the focus of domain A.18 on compliance.

Number of Controls per Domain in Annex A

Not surprisingly, Annex A has the most IT-related controls. More than half of the 114 controls cover issues in IT. The breakdown of controls per domain is:

• 61 related to IT
• 24 related to organisational issues
• 15 related to physical security
• 8 related to legal issues
• 6 related to human resources

Your risk treatment plan explains how you're implementing the controls you chose. Your statements of applicability explain why you chose them and the reasons for not implementing any others.

Advantages of Annex A for Risk Treatment

Annex A gives a valuable overview of many possible controls you can apply. This helps ensure you don't leave anything out that might be effective.

ISO 27001 lets you choose only the controls that apply to your organisation. You don't waste resources on risk treatment that isn't relevant.

ISO 27001 Annex A and ISO 27002 for your Risk Treatment Plan

Annex A of ISO 27001 gives an overview of each control. It doesn't provide many details. This can make creating a risk treatment plan more challenging.

ISO 27002 fills this gap. ISO 27002 is organised in the same way as Annex A. It gives a much more detailed explanation of each control, though. Where ISO 27001 Annex A has a single sentence, ISO 27002 may have a whole page.

You can use the two standards jointly to ensure you choose the proper controls and design the best implementation plan.

Considerations when making a Risk Treatment Plan

Implementing risk treatments takes people, time, and resources. Without enough support, you won't be able to implement your plan successfully.

Evaluate whether you have enough people to support the risk treatment plan. You also need enough money. If your organisation has financial constraints, you'll need a process for prioritising controls.

Communication with stakeholders is essential. You need everyone to buy into the project and move in the same direction. Keeping all parties up-to-date makes getting their support more likely.

Implementing the security controls

Implementing your risk treatment plan means developing new behaviour in your organisation. Risk treatment controls may require new policies and processes. You need a structured program for training your personnel on the latest procedures.

Resistance to change can make improving your information security more difficult. Education is critical. Personnel at all levels need to understand why the changes are necessary and how they can meet the new expectations.

Measuring the effectiveness of controls

You need to define how you'll measure the effectiveness of your controls. Otherwise, you won't know if your risk treatment plan has served its purpose.

Measuring whether you have fulfilled your control objectives is vital for your organisation's security. It's also essential when you're seeking an ISO 27001 certificate. For ISO 27001 compliance, you must have evidence that you're implementing the controls in your plan.

Your Risk Treatment Plan and ISO 27001 Certification

Writing a risk treatment plan is a critical phase in the ISO 27001 process. It moves you one step closer to ISO 27001 certification. The certification process can seem daunting. Risk treatment is just one aspect of the compliance process.

DataGuard can help you achieve ISO 27001 certification. Our industry-specific expertise has helped more than 2,000 businesses stay compliant. Our team will support you throughout the certification process, including the external audit. 

Schedule a free initial consultation now and discover how the DataGuard ISO 27001 certification solution can help you get certified.