A risk treatment plan is a formal document that outlines how each identified risk will be addressed, specifying the chosen treatment strategy—whether acceptance, mitigation, transfer or avoidance. It includes details such as the responsible owner, required resources, implementation timeline and success criteria for each treatment action.
The risk treatment plan is a mandatory deliverable in ISO 27001 and serves as the operational bridge between risk assessment outcomes and concrete security improvements. It should be reviewed regularly by management and updated as risks are resolved, new risks emerge or business priorities shift, ensuring that the organisation's risk posture remains aligned with its objectives.