Difference between Risk Treatment Plan and Corrective Actions
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Answer:
Risk Treatment Plan and Corrective Actions fulfill different purposes and requirements, that's why we provide different documents.
You use the Risk Treatment Plan to define actions to treat risks, i.e, actions to prevent them to happen, or to minimize their impact in case they occur.
On the other hand, you use Corrective actions to treat controls or processes that failed to fulfill their objectives, or are not performing as planned.
For example, to treat a risk of data loss you can define the implementation of a backup process in the Risk Treatment Plan.
Now consider that this backup process is implemented, and it was identified that for some reason the backup was not performed as scheduled, or that the process has failed (in both situations the original data wasn't lost). To treat this situation you have to open a Correcti ve Action.
These articles will provide you further explanation about risk treatment plan and corrective actions:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
Comment as guest or Sign in
Aug 14, 2019