Risk treatment is the ISO 27001 process of selecting and implementing one or more options to modify an identified risk. The four standard treatment options are mitigation (reducing likelihood or impact through controls), transfer (shifting the risk to a third party, e.g. through insurance), avoidance (eliminating the activity that gives rise to the risk) and acceptance (consciously retaining the risk within appetite).
Each treatment option should be evaluated for feasibility, cost-effectiveness and alignment with the organisation's risk appetite before implementation. The chosen treatment must be documented in the risk treatment plan and its effectiveness monitored over time. Regular reassessment ensures that treatments remain appropriate as the threat landscape and business context evolve.