Risk treatment plan
Is it necessary to implement a treatment plan for all identified risks, or is it only necessary to apply a treatment plan if a medium or high-risk is detected?
I am asking this question because in my risk assessment, all the residual risks are low, and according to my policy, only medium and high risks should receive a risk treatment plan. I want to know if it's appropriate to leave low risks without a risk treatment plan or if I should create one despite all risks being low.
Assign topic to the user
ISO 27001 RISK TREATMENT PLAN
Determine responsibilities for the implementation of controls.
Get it now 
ISO 27001 RISK TREATMENT PLAN
Determine responsibilities for the implementation of controls.
Get it now
ISO 27001 RISK TREATMENT PLAN
Determine responsibilities for the implementation of controls.
Get it now
Thank you for your question.
We answered it through Experta - you can find the answer here: https://experta.com/shared-post/356983f7-e736-474d-b864-81cb855154a8
Comment as guest or Sign in
May 06, 2024