Risk treatment and risk treatment plan

Risk Management Methodology
Risk Assessment
Risk Treatment
SoA
Risk Treatment Plan.

Could you please elaborate what is the difference between risk treatment and risk treatment plan.

Answer: Risk treatment refers to the options you have available to treat a risk, being the most common risk acceptance, risk mitigation, risk avoiding and risk transfer. When we talk about risk treatment plan we are talking about the specific activities, responsible, deadlines and resources needed to implement the chosen risk treatment.

For example, regarding a risk database compromise by a malware, you can define as risk treatment mitigate risk, and for risk treatment plan you can define:
- Joe has to install antivirus on database servers by the end of June/2017
- John has to implement a backup routine for databases by the end of July/2017.

This article will provide you further explanation about risk treatment and risk treatment plan:
- 4 miti gation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

These materials will also help you regarding risk treatment and risk treatment plan:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/