Risk treatment evidences

What level of documented information is expected here? Am I expected to maintain a separate log or is using the risk treatment plan which details the treatments enough to use as a basis for demonstrating that the treatments have been applied?

Answer: Besides the Risk Treatment Plan you also have to maintain evidences of the results achieved with each treatment implemented. For example, if the treatment is monitoring an asset, evidences may be log, as you stated. If treatment is backup, evidences may be the backup media or backup media register.

In the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment.

This article will provide you further explanation about risk treatment:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/knowledgebase/risk -treatment-plan-and-risk-treatment-process-whats-the-difference/

These materials will also help you regarding risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/