Step 9 of the ISO 27001 implementation process focuses on formulating and implementing a risk treatment plan based on the risk assessment conducted in Step 8. This critical step addresses identified risks by selecting appropriate treatment options and controls to mitigate, avoid, share, or retain them. By executing a structured risk treatment process, organizations ensure risks are managed rationally, avoiding hasty decisions driven by anxiety. This step is pivotal, as it involves significant effort and may require multiple side projects to implement controls effectively. The milestone is the approval of the risk treatment plan and the acceptance of residual risks, paving the way for a robust Information Security Management System (ISMS).
Required Activities and Tasks
This step involves a cohesive set of activities to develop, implement, and validate a risk treatment plan, ensuring alignment with ISO 27001 requirements and the organization’s risk profile:
Develop the Risk Treatment Plan: Select appropriate risk treatment options (avoid, mitigate, share, or retain) and choose relevant controls, leveraging Annex A’s 93 controls or other frameworks like NIST, while ensuring alignment with organizational needs.
Formulate and Approve the Plan: Create a comprehensive risk treatment plan, compare selected controls with Annex A to produce a mandatory Statement of Applicability, and secure approval from risk owners.
Implement the Risk Treatment Plan: Execute the plan, which may involve multiple side projects to deploy controls, adapting tasks based on existing processes like change management or intrusion detection systems.
Validate and Accept Residual Risks: Assess the effectiveness of implemented controls, update the Statement of Applicability, and obtain risk owner acceptance of residual risks to finalize the process.
The milestone for this step is the successful implementation of the risk treatment plan and the acceptance of residual risks, marking a significant advancement in ISMS maturity.
Deliverables of This Step
The outputs of Step 9 provide a structured approach to managing and mitigating risks:
Risk Treatment Plan: A detailed document outlining selected treatment options and controls to address identified risks.
Statement of Applicability (SoA): A mandatory document listing selected controls, their justification, and comparison with Annex A controls.
Control Implementation Records: Documentation of implemented controls, including any side projects or adaptations to existing processes.
Residual Risk Acceptance Records: Evidence of risk owner approval for remaining risks after treatment.
These deliverables ensure risks are systematically addressed and documented for ISO 27001 compliance.
Normative References
This step is guided by specific ISO 27001 clauses that outline requirements for risk treatment and operational control:
Clause 6.1.3: Information Security Risk Treatment: Mandates the development and implementation of a risk treatment plan, including the selection of appropriate controls and the production of a Statement of Applicability.
Clause 7.1: Resources: Ensures the organization allocates necessary resources to implement the risk treatment plan effectively.
Clause 8.1: Operational Planning and Control: Requires the organization to plan, implement, and control processes needed to meet ISMS requirements, including risk treatment activities.
Clause 8.3: Information Security Risk Treatment: Specifies the need to implement the risk treatment plan and document results, ensuring risks are addressed in line with the organization’s risk acceptance criteria.
These clauses provide the framework for a structured and compliant risk treatment process.
