ISO 27001 Risk Treatment Plan Template
Are you either planning or already in the throes of ISO Certification?
More and more companies are turning towards ISO or AICPA’s SOC certifications to meet the security requirements of their customers and global commerce today.
This article will help you meet the integral step of developing the required Risk Treatment Plan. Whether it’s a priority for your company to build a strong security program or you’re driven by external forces, ultimately, the sooner you start creating your risk treatment plan, the better off you’ll be in front of regulators, customers, or even investors. So, read on…
Your Risk Treatment plan documents your organization’s response to identified threats and your methodology or process behind making those decisions. It is, therefore, different or specific to each organization, but here are some keys to implementation that should work for all of us.
When correctly implemented, your plan will both help you identify which battles to fight (first). It is highly unlikely that you will be able to implement controls for every identified risk to your organization. Rather, you will need to prioritize and to do this, here are the key steps to follow:
Step 1: Identify the Risk.
Step 2: Analyze the risk.
Step 3: Evaluate or Rank the Risk.
Step 4: Treat the Risk.
Step 5: Monitor and Review the risk.
Identify: Assess your organizational risk
You will need to undertake an internal Risk Assessment to identify your known risks. Once you’ve completed your risk assessment. Remember, this also includes risk in your supply chain. You can be liable for third and fourth party risk if you don’t establish protocols and third party requirements for risk practices, and too often, this is the downfall of companies when external risk is not properly evaluated.
Once you have identified your risks, you’ll be left with a list of ‘unacceptable’ threats that need to be addressed. As stated before, that list may be significant, so the next step is to analyze, prioritize and classify.
Classify or Prioritize Risk
This usually requires the approval of the Board Risk Committee or whosoever assumes oversight for security at this level. Remember, liability is like heat — it rises! If your janitor causes an incident, the CEO could well go to jail. That can be a career-limiting move for you (especially if you are the CEO). As such, the highest levels of the organization need to understand (and approve) the methodology for classifying risk. Let’s classify first, then determine how we get there…
Your risk classification also helps determine treatment. Below is an example of possible classifications.
Very High [Top priority — avoid, mitigate or transfer]
High [Top priority — avoid, mitigate or transfer]
Medium [Mitigate, Transfer, Accept]
Low (Accept Risk)
Typically organizations assign 2 ratings to determine classification: Inherent Risk determines the level of risk before treatment. This can be determined by an Impact Analysis that qualifies all of the possible areas of impact that the risk poses to the business.
Likelihood, as it suggests, determines the ‘likelihood’ of that risk occurring prior to treatment.
There is also Residual Risk, which defines the remaining risk post-treatment. Remember, there is always some level of risk. We talk about this in our conclusion.
Risk Treatment Options:
In terms of treatment of risk, here we outline the different meanings and most common options available:
Mitigate: Mitigation is the implementation of a control to reduce the likelihood of the risk occurring. Again, note the term ‘reduce’ as opposed to eliminate.
Transfer: This option is effectively the adoption of an “insurance plan”. Essentially, to transfer the risk means to outsource it to another security firm for oversight. Alternatively, companies literally purchase cyber insurance against the threat. Just a note here, too, that transfer is sometimes referred to as ‘share’. It may not completely exculpate you from responsibility for the risk.
Cyber Insurance is the fastest growing form of insurance in the United States — if you are looking for a career move!
Avoid: Perhaps the most drastic of the four options provided, when the organization chooses to cease the activity that creates the risk. This could be done by choosing a methodology that poses a lower, more acceptable level of risk, or deciding that the activity does not rate highly enough in the business strategy. Roughly translated, the cost of either mitigation or exposure is too high to merit its continuance.
Accept the Risk: As it sounds again. Here the organization accepts the risk, usually because the cost of mitigation is greater than the damage that it would cause. Accepting the risk doesn’t mean “forget about” or “ignore” the risk. All risk needs to be continuously monitored as risk is constantly changing.
It’s not over yet/ever:
Earlier, we mentioned Residual Risk, defined as the remaining risk post-treatment. Regrettably, there is always some level of risk to doing business. Your Risk Treatment Plan, then, is the forerunner to creating your Risk Register, as well as implementing Issue Management. [For more information on Risk Registers and Issue Management]
This is also why spreadsheets are no longer an option for risk management. You simply cannot afford to take a ‘Point in Time’ approach to managing risk. You need to see your risk management in real-time, to ensure mitigation is followed through, controls are implemented and risk is evaluated for change on an ongoing basis. You need a platform, automation, and continuous monitoring in place to ensure the effective implementation of your Risk Treatment Plan. Fortunately, if you are reading this, we have the solution for this, too.