Risk Treatment

Risk treatment is the process of deciding what to do about each risk identified during a risk assessment. It is the step where analysis turns into action. Every compliance framework that requires risk management — including ISO 27001, SOC 2, and NIST CSF — expects organizations to document their treatment decisions and implement them.

The Four Treatment Options

For each identified risk, organizations choose one of four approaches:

• Mitigate — Implement controls to reduce the likelihood or impact of the risk. This is the most common treatment. Example: deploying multi-factor authentication to reduce the risk of unauthorized access.
• Transfer — Shift the risk to a third party, typically through insurance or outsourcing. Example: purchasing cyber liability insurance to transfer financial exposure from a data breach.
• Accept — Acknowledge the risk and take no further action because the cost of treatment exceeds the potential impact. This must be a deliberate, documented decision approved by management.
• Avoid — Eliminate the activity or condition that creates the risk entirely. Example: discontinuing a legacy application that cannot be secured.

Risk Treatment Plans

A risk treatment plan documents the specific actions that will be taken for each risk that is not accepted. It should include the treatment option selected, the controls or actions to be implemented, the responsible person, the timeline, and the expected residual risk after treatment.

ISO 27001 requires a formal risk treatment plan, and auditors will verify that the plan is being executed. Risks that remain open without documented treatment plans are a common nonconformity finding.

Connecting Treatment to Controls

Risk treatment decisions directly inform your control environment. Each control you implement should trace back to one or more risks it addresses. This traceability is what auditors look for — controls that exist without a corresponding risk suggest a checkbox mentality rather than risk-based security management.

Residual Risk

After treatment, some risk will remain. This is called residual risk, and it must be formally accepted by management. If the residual risk exceeds the organization's risk appetite, additional treatment is required.