The risk treatment plan translates the results of your risk analysis into concrete actions. For every risk above the acceptance threshold, it documents what will be done, who is responsible, and by when implementation must be complete.
ISO 27001 Clause 6.1.3 requires a risk treatment plan that records the chosen treatment options, the associated controls, and the approval of risk owners. Without this plan, risk analysis remains an academic exercise.
What does it contain?
The CSV template bridges the risk register and operational action planning. Key columns:
- Risk ID — link to the risk register
- Treatment option — mitigate, avoid, transfer, or accept
- Control(s) — concrete steps to treat the risk
- Related Annex A control — which ISO 27001 control is being implemented?
- Owner and deadline — who implements, by when?
- Implementation status — planned, in progress, completed
- Residual risk — the remaining risk after the control is in place
How to use it
Derive it from the risk register. Every risk above the acceptance threshold receives a treatment decision. For the “mitigate” option, you define specific controls — often Annex A controls from ISO 27001. The mapping between risk, treatment option, and control makes the plan traceable.
Monitor implementation. The plan functions as a project management document. Each control has an owner, a deadline, and a status. During the management review, you report progress — overdue controls are a typical audit finding.
Document residual risk. After all controls are implemented, residual risk remains. This residual risk must be assessed and formally accepted by the risk owner. Documenting that acceptance is an explicit requirement of Clause 6.1.3.
| ID | Risiko-ID | Maßnahme | Annex-A-Kontrolle | Verantwortlich | Startdatum | Fällig | Budget (EUR) | Status | Verifikation | Restrisikowert nach Maßnahme |
|---|---|---|---|---|---|---|---|---|---|---|
| RTP-001 | R-001 | Phishing-resistente MFA (FIDO2) für alle Admin-Konten | A 5.17 A 8.5 | IT-Betriebsleitung | 2026-02-01 | 2026-06-30 | 8000 | In Bearbeitung | Audit-Test Q3 | 6 |
| RTP-002 | R-001 | Backup-Netz segmentieren und Zugangsdaten isolieren | A 8.12 A 8.20 | IT-Betriebsleitung | 2026-03-01 | 2026-07-31 | 12000 | Offen | Pentest | 6 |
| RTP-003 | R-001 | Quartalsweise Restore-Tests auf Offline-Backup | A 8.13 | IT-Betriebsleitung | 2026-02-01 | Fortlaufend | 2000 | In Bearbeitung | Testprotokoll | 6 |
| RTP-004 | R-002 | FIDO2-Schlüssel für alle Mitarbeitenden ausrollen | A 5.17 | ISB | 2026-05-01 | 2026-09-30 | 15000 | Offen | Coverage-Report | 6 |
| RTP-005 | R-002 | Monatliche Phishing-Simulation + gezielte Nachschulung | A 6.3 | HR-Leitung | 2026-01-01 | Fortlaufend | 3000 | In Bearbeitung | LMS-Bericht | 6 |
| RTP-006 | R-003 | Ausgehende DLP-Regel für PII in E-Mail und Web | A 8.12 | ISB | 2026-04-01 | 2026-09-30 | 10000 | Offen | DLP-Meldungen | 6 |
| RTP-007 | R-003 | Strikter Leaver-Entzug innerhalb 2 h umsetzen | A 5.11 A 6.5 | HR-Leitung | 2026-03-01 | 2026-06-15 | 0 | In Bearbeitung | Audit-Stichprobe | 6 |
| RTP-008 | R-004 | Zweiten Logistik-SaaS-Anbieter als Standby qualifizieren | A 5.30 A 5.22 | Einkauf | 2026-04-01 | 2026-12-31 | 20000 | Offen | Lieferantenreview | 6 |
| RTP-009 | R-004 | Monatliches Lieferantenstatus-Review | A 5.22 | Einkauf | 2026-01-01 | Fortlaufend | 0 | In Bearbeitung | Review-Notizen | 9 |
| RTP-010 | R-005 | IaC-Scanning in CI-Pipeline einführen | A 8.28 A 8.9 | Head of Engineering | 2026-03-15 | 2026-06-30 | 5000 | In Bearbeitung | Pipeline-Logs | 6 |
| RTP-011 | R-005 | S3-Public-Access-Block auf Account-Ebene aktivieren | A 8.9 | IT-Betriebsleitung | 2026-03-01 | 2026-04-15 | 0 | Abgeschlossen | Konfig-Report | 6 |
| ID | Risk ID | Action | Annex A Control | Owner | Start Date | Due Date | Budget (EUR) | Status | Verification | Residual Score After |
|---|---|---|---|---|---|---|---|---|---|---|
| RTP-001 | R-001 | Deploy phishing-resistant MFA (FIDO2) for all admin accounts | A 5.17 A 8.5 | IT Operations Lead | 2026-02-01 | 2026-06-30 | 8000 | In progress | Audit test Q3 | 6 |
| RTP-002 | R-001 | Segment backup network and isolate credentials | A 8.12 A 8.20 | IT Operations Lead | 2026-03-01 | 2026-07-31 | 12000 | Open | Pentest | 6 |
| RTP-003 | R-001 | Quarterly restore test on offline backup | A 8.13 | IT Operations Lead | 2026-02-01 | Recurring | 2000 | In progress | Test log | 6 |
| RTP-004 | R-002 | Roll out FIDO2 keys to all staff | A 5.17 | ISO | 2026-05-01 | 2026-09-30 | 15000 | Open | Coverage report | 6 |
| RTP-005 | R-002 | Monthly phishing simulation + targeted retraining | A 6.3 | HR Lead | 2026-01-01 | Recurring | 3000 | In progress | LMS report | 6 |
| RTP-006 | R-003 | Deploy outbound DLP rule for PII in email and web | A 8.12 | ISO | 2026-04-01 | 2026-09-30 | 10000 | Open | DLP alerts | 6 |
| RTP-007 | R-003 | Implement strict leaver access revocation within 2h | A 5.11 A 6.5 | HR Lead | 2026-03-01 | 2026-06-15 | 0 | In progress | Audit sample | 6 |
| RTP-008 | R-004 | Qualify a second logistics SaaS provider as standby | A 5.30 A 5.22 | Procurement | 2026-04-01 | 2026-12-31 | 20000 | Open | Supplier review | 6 |
| RTP-009 | R-004 | Monthly supplier status review | A 5.22 | Procurement | 2026-01-01 | Recurring | 0 | In progress | Review notes | 9 |
| RTP-010 | R-005 | Implement IaC scanning in CI pipeline | A 8.28 A 8.9 | Head of Engineering | 2026-03-15 | 2026-06-30 | 5000 | In progress | Pipeline logs | 6 |
| RTP-011 | R-005 | Enable S3 public-access block at account level | A 8.9 | IT Operations Lead | 2026-03-01 | 2026-04-15 | 0 | Completed | Config report | 6 |
Sources
- ISO/IEC 27001:2022, Clause 6.1.3 — information security risk treatment
- ISO/IEC 27005:2022, Section 10 — risk treatment
- BSI Standard 200-3 — risk analysis based on IT-Grundschutz