FAQGlobalISO/IEC 27005

ISO/IEC 27005 FAQ Treatment Options

Answer treatment options questions with explicit owner, evidence, and escalation expectations for ISO/IEC 27005.

Applied to this decision area, this page focuses on the treatment choices, ownership, evidence, review triggers, and escalation criteria supported by source-linked risk-management guidance.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
4

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This FAQ helps teams decide whether to accept, avoid, modify, or share a risk, and what must be owned, evidenced, and reviewed.

Search this module

Find a question or answer quickly

4 of 4 questions
Question 1

What are the treatment options under ISO/IEC 27005, and how do we choose?

ISO/IEC 27005 uses four practical treatment choices: accept the risk, avoid the risk, modify the risk by changing controls or plans, or share the risk with another party. The right choice depends on whether the risk is within tolerance, whether the activity can be changed or stopped, whether controls can reduce the risk to an acceptable level, and whether transfer or sharing is available through contracts, insurance, or other arrangements.

Start with one decision record: scope, required inputs, owner, evidence location, and review condition. Then route the result to treatment or acceptance gates. If the risk is already within tolerance, acceptance may be appropriate. If the activity should not continue, avoid it. If the risk can be reduced, modify it. If another party can carry part of the exposure, share it.

  • Name the accountable owner and reviewer for the chosen treatment option.
  • Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
  • Escalate when the treatment choice changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.
Citations
NIST SP 800-30 Rev. 1

Risk assessment guidance that lists risk responses and supports choosing between accept, avoid, mitigate, share, or transfer.

Question 2

What evidence should prove Treatment Options is current under ISO/IEC 27005?

The evidence should show the process operating. For this artifact, the strongest record usually includes risk criteria, scenarios, likelihood and impact rationale, treatment decisions, residual-risk approvals, and review records.

Avoid evidence that only repeats a requirement. A reviewer should be able to see the actual owner, date, system, supplier, AI system, service, incident, risk, or control sample behind the answer.

  • Use source records from the system of work, not screenshots created only for audit day.
  • Keep exceptions visible as risk acceptance, corrective action, or management-review input.
  • Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.
Citations
Recommended next step

Operationalize ISO/IEC 27005 FAQ: Treatment Options

Define owner, evidence requirements, evidence requests, and the next review date before approval.

Assessment workflow
Open Assessment Autopilot for ISO/IEC 27005

Convert ISO/IEC 27005 FAQ: Treatment Options into accountable tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through ISO/IEC 27005 risk treatment options

Review ISO/IEC 27005 treatment-option scope, evidence gaps, risk decisions, and next implementation steps.

Explore next step
Question 3

Who should approve Treatment Options decisions under ISO/IEC 27005?

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

For high-impact changes, approval should include the teams affected by the evidence: security, privacy, resilience, supplier management, AI governance, legal, risk, or business service owners as relevant.

  • Use a named owner, named backup, and named escalation forum.
  • Separate preparation work from risk acceptance and final approval.
  • Keep approval records with the evidence rather than in disconnected email threads.
Citations
Question 4

When should Treatment Options be reviewed under ISO/IEC 27005?

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

A stale record is worse than a short record. If the facts change, update the evidence and mark what changed so the next reviewer can trust the page.

  • Set a planned review date and a change-trigger rule.
  • Use findings to update controls, procedures, contracts, risk registers, or training.
  • Carry unresolved items into management review or risk acceptance.
Citations
Primary sources

References and citations

ISO/IEC 27001:2022 standard page
iso.org
Referenced sections
  • Primary ISO listing for the current ISO/IEC 27001 ISMS requirements standard.
"Information security management systems - Requirements"
ISO/IEC 27005:2022 standard page
iso.org
Referenced sections
  • Primary ISO listing for current ISO/IEC 27005 risk-management guidance.
"Guidance on managing information security risks"
NIST SP 800-30 Rev. 1
nvlpubs.nist.gov
Referenced sections
  • Risk assessment guidance used for comparison with ISO/IEC 27005.
"Guide for Conducting Risk Assessments"
Related guides

Explore more topics

ISO/IEC 27005 Asset And Scenario Modeling FAQ
How should teams model assets and scenarios under ISO/IEC 27005 risk assessments? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27005 Compliance Guide
ISO/IEC 27005 Compliance for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 Impact FAQ
How should teams handle Impact under ISO/IEC 27005? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27005 Inherent vs Residual Risk FAQ
How should teams distinguish inherent risk from residual risk under ISO/IEC 27005? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27005 Likelihood FAQ
How should teams handle Likelihood under ISO/IEC 27005? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27005 Qualitative vs Quantitative Method Comparison
Qualitative vs Quantitative Method for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 Residual Risk Approval Guide
ISO/IEC 27005 Residual Risk Approval for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 Residual Risk Approval Workflow
ISO/IEC 27005 Residual Risk Approval Workflow for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 Review Cadence FAQ
How should teams handle Review Cadence under ISO/IEC 27005? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27005 Risk Acceptance FAQ
How should teams handle Risk Acceptance under ISO/IEC 27005? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27005 Risk Assessment Template and Workflow
ISO/IEC 27005 Risk Assessment Template for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 Risk Criteria Guide
ISO/IEC 27005 Risk Criteria for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 Risk Criteria Setup Workflow
ISO/IEC 27005 Risk Criteria Setup Workflow for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 Risk Management FAQ
ISO/IEC 27005 FAQ for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 Risk Owners FAQ
How should teams handle Risk Owners under ISO/IEC 27005? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27005 Risk Register Workflow
ISO/IEC 27005 Risk Register Workflow for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 Risk Treatment Plan Template
ISO/IEC 27005 Risk Treatment Plan Template for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 Scenario Library Guide
ISO/IEC 27005 Scenario Library for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 vs FAIR Comparison
ISO/IEC 27005 vs FAIR for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 vs ISO 31000 Comparison
ISO/IEC 27005 vs ISO 31000 for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.
ISO/IEC 27005 vs NIST SP 800-30 Comparison
ISO/IEC 27005 vs NIST SP 800-30 for ISO/IEC 27005 Information Security Risk Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.