ISO 27001 Clause 8.3: Information security risk treatment

ISO 27001 made easy: A comprehensive guide to understanding the standard

Get your free guide


Get your free guide

Information security risk treatment is the process of selecting and implementing controls to reduce the likelihood and impact of information security risks. It is an essential part of any information security management system (ISMS) and is required by the ISO 27001 standard.

Clause 8.3 of ISO 27001 requires organisations to implement the information security risk treatment plan and retain documented information on the results of that risk treatment.

This means that organisations must have a plan in place for how they will address the risks that have been identified, and they must keep records of how they have implemented that plan.

Here are some of the things that are involved in requirement 8.3:

  • Identifying and assessing risks

  • Developing and implementing risk treatment plans

  • Monitoring and reviewing the effectiveness of risk treatment plans

  • Retaining documented information on the results of risk treatment

Organisations can use a variety of methods to implement requirement 8.3, such as:

What is the information risk treatment plan? 

An information risk treatment plan (IRTP) is a document that outlines how an organisation will manage and treat the information security risks that have been identified through its risk assessment process. The IRTP should include the following:

  • A list of all identified risks, along with their likelihood and impact

  • A description of the risk treatment strategies that will be used to address each risk

  • A list of the controls that will be implemented to support the risk treatment strategies

  • A timeline for implementing the controls

  • A plan for monitoring and reviewing the effectiveness of the risk treatment plan

The IRTP should be a living document that is updated regularly as the organization's risk landscape changes. 

Get ready for the ISO 27001:2022 audit with up to 75% less workload.

100% first-try pass rate in external audits on ISO 27001 

Book a demo
DG Seal ISO 27001

What are the four risk treatment options?

There are a number of different risk treatment strategies, but the most common are:

  • Avoidance: This involves taking steps to eliminate the risk altogether, such as by not using a particular technology or process.

  • Mitigation: This involves taking steps to reduce the likelihood or impact of the risk, such as by implementing security controls.

  • Acceptance: This involves accepting the risk as it is and taking no further action.

  • Transfer: This involves transferring the risk to a third party, such as an insurance company.

The best risk treatment strategy for a particular risk will depend on a number of factors, including the likelihood and impact of the risk, the cost and effectiveness of different controls, and the organisation's risk appetite.

How to implement information security risk treatment

To implement an information security risk treatment plan, organisations should follow a risk management process.

  1. Identify risks: The first step is to identify all of the information security risks that face the organisation. This can be done through a variety of methods, such as risk assessments, threat modelling, and vulnerability scans.
  2. Assess risks: Once the risks have been identified, they need to be assessed to determine their likelihood and impact. This information can then be used to prioritise the risks and select the most appropriate risk treatment strategies.
  3. Treat risks: Once the risk treatment strategies have been selected, they need to be implemented. This may involve implementing new security controls, updating existing controls, or changing processes.
  4. Monitor and review risks: The risk management process is an ongoing one, and risks should be monitored and reviewed on a regular basis to ensure that they are being effectively managed.

The ISO 27001 standard requires organizations to have a risk treatment plan in place to address the information security risks that have been identified through the risk assessment process.

The risk treatment plan should identify the risks, the risk treatment strategies that will be used to address the risks, and the controls that will be implemented to support the risk treatment strategies.

The risk treatment plan is important for the ISO 27001 certification process because it demonstrates to the auditor that the organization has a plan in place to manage its information security risks. The auditor will review the risk treatment plan to assess whether it is comprehensive and appropriate for the organization's risks. 

Your ISO 27001 certification process made simple.

Get ISO 27001 certified in as little as 3 months.

Download your free guide now 
DG Seal ISO 27001

The benefits of having an information risk treatment plan

In addition to being required for the ISO 27001 certification, a risk treatment plan also has a number of other benefits, such as:

  • Reduced risk of information security incidents: An information risk treatment plan helps organisations to identify and manage their information security risks effectively. This can help to reduce the likelihood and impact of information security incidents, such as data breaches, malware attacks, and denial-of-service attacks.

  • Improved compliance: Many regulatory requirements require organisations to have an information risk treatment plan in place. Having a plan can help organisations to demonstrate to regulators that they are taking steps to protect their information assets.

  • Enhanced customer confidence: Customers are more likely to do business with organisations that they trust to protect their data. Having an information risk treatment plan can help organisations demonstrate to customers that they are taking information security seriously.

  • Reduced costs: Information security incidents can be very costly, both in terms of financial losses and reputational damage. Having an information risk treatment plan can help organisations to reduce the risk of these incidents, which can lead to significant cost savings.

  • Improved business continuity: Information security incidents can disrupt business operations and lead to lost revenue. Having an information risk treatment plan can help organisations improve their business continuity by reducing the risk of these incidents.

In addition to these benefits, having an information risk treatment plan can also help organisations to:

  • Make better decisions about information security investments: By understanding their risks, organisations can make more informed decisions about where to invest their resources in terms of information security controls.

  • Improve communication and collaboration: An information risk treatment plan can help to improve communication and collaboration between different departments within an organization. This can lead to a more effective and efficient approach to information security.

  • Raise awareness of information security risks: An information risk treatment plan can help to raise awareness of information security risks among employees. This can lead to more informed and responsible behaviour in terms of information security.

Overall, an information risk treatment plan is an essential tool for any organisation that wants to protect its information assets and improve its information security posture.

Save Money with ISO 27001

up to 50%

Cheaper than external consultants


up to 300%

Increase your opt-in rate with Consent & Preference Management

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate


First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

Saves up to 100 hours

of manual work to get ISO 27001 certified or TISAX® labels

ISO 27001 Certification creates trust

Customers trust us

Get in touch




External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts



Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit



Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.