Structure of the Risk Treatment Plan
Assign topic to the user
ISO 27001 does not prescribe the structure of the Risk Treatment Plan, but if you follow the logic of clause 6.2, then you should include the following information: what to implement, by whom, when, using which resources, etc. You can see a preview of the Risk treatment plan here (look for the "Free Demo" tab): https://advisera.com/27001academy/documentation/risk-treatment-plan/
In my opinion, the best would be to organize the Risk treatment plan according to controls - first of all RTP is based on Statement of Applicability (which is also based on controls), and second the implementation will be much easier if the planning is done control by control.
Read also this article: Risk Treatment Plan and risk treatment process Whats the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Comment as guest or Sign in
Jan 12, 2016