Risk Treatment Implementation and Risk Treatment Plan
We are working on the ISO 27001 documents we purchased from Advisera.
1. We are discussing the implementation steps and we are a bit confused about the Risk Treatment Implementation and the Risk Treatment Plan. Please what’s the difference between the two. When are the risks actually treated?
2. Also, what’s the difference between the risk treatment methodology and the risk treatment plan.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. We are discussing the implementation steps and we are a bit confused about the Risk Treatment Implementation and the Risk Treatment Plan. Please what’s the difference between the two. When are the risks actually treated?
In the risk treatment implementation, you need to define what to do with risks (e.g., risk mitigation, risk avoidance, risk acceptance, and risk transfer), while in the Risk Treatment Plan you define the actions, responsible, and deadlines to implement the chosen option. For example:
- Risk: information loss due to virus
- Risk Treatment: mitigate the risk
- Risk treatment plan: The IT manager must develop and implement a backup policy in the following 90 days.
These articles will provide you a further explanation about risk treatment and risk treatment plan:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
2. Also, what’s the difference between the risk treatment methodology and the risk treatment plan?
The risk treatment methodology refers to the rules (e.g., steps and criteria) to be followed when performing the risk treatment, while the Risk Treatment Plan is one of the outputs of the risk assessment and risk treatment process as a whole (together with the Statement of Applicability). Please note that the most common reference you will find is about the Risk Assessment and Risk Treatment Methodology because ISO 27001 requires the definition of processes for both risk assessment and risk treatment.
These articles will provide you a further explanation about risk management process and risk treatment methodology:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jun 17, 2020