iso.org
Referenced sections
- Useful requirements context for how treatment decisions support an ISMS.
Primary sources
References and citations
iso.org
Referenced sections
- Primary current source for ISO/IEC 27005 and its risk treatment scope.
TemplateGLOBAL
ISO 27005 Risk treatment plan template
Use this template to turn assessed risks into owned action with explicit residual risk decisions.
Designed for reviewability, accountability, and cleaner audit evidence.
Author
Sorena AI
Published
Mar 4, 2026
Updated
Mar 4, 2026
Sections
4
Structured answer sets in this page tree.
Primary sources
2
Cited legal and guidance references.
Publication metadata
Sorena AI
Published Mar 4, 2026
Updated Mar 4, 2026
Overview
A risk treatment plan should do more than list controls. It should explain the chosen treatment option, the actions that will be taken, who owns delivery, what success looks like, what evidence will show progress, and what residual risk remains after treatment. This template is designed to make those elements visible in one place.
Section 1
Recommended structure for a treatment plan
Keep one consistent structure across the organization so leadership and auditors can read treatment plans quickly. The plan should be understandable to risk owners, delivery teams, and governance reviewers without translation.
Each plan should link back to the originating risk record so the treatment rationale stays visible.
- Header: scope, owner, version, approval state, last update, next review date
- Treatment rows: one row per risk or per major treatment stream depending on scale
- Decision section: selected treatment option, expected residual risk, approver, and conditions
Section 2
Field set for each treatment item
The fields below are designed to make treatment status auditable and useful in management review. If a field cannot be populated, you probably have an ownership or evidence problem rather than only a template problem.
Write items as commitments that can be tested later, not as generic aspirations.
- Risk ID and short description pulled directly from the assessment record
- Selected treatment option such as modify, retain, avoid, or share, with rationale
- Treatment owner and risk owner, with clear distinction where they differ
- Specific actions or controls to be implemented or changed
- Milestones, target dates, dependencies, and blockers
- Acceptance criteria showing how success will be judged
- Evidence links for tickets, test results, monitoring, approvals, or configuration proof
- Expected residual risk and the authority level required for acceptance
Section 3
How to handle residual risk well
Residual risk acceptance should not be implicit. The plan should say whether residual exposure will be accepted, under what conditions, by whom, and until when if the acceptance is time-bound.
This is especially important where treatment is staged over time and the organization is temporarily accepting a higher level of exposure while the plan is still in flight.
- Record the approver, the date, the conditions, and the re-review trigger
- Escalate approvals that exceed the normal authority threshold
- Treat missed milestones or failed controls as triggers for reassessment, not only project delays
Section 4
Tie the plan back into the ISMS
Treatment plans should connect directly to the wider ISMS evidence model. If the treatment involves control implementation, the relevant control records, operating evidence, and later review outputs should all point back to the same risk identifier.
This prevents treatment work from becoming detached from the risk decision that justified it.
- Cross-link treatment items to the risk register, control evidence, audit findings, and management review outputs
- Use one action status model across security, engineering, and governance teams so progress reads consistently
Recommended next step
Keep ISO 27005 Risk treatment plan template in one governed evidence system
SSOT can take ISO 27005 Risk treatment plan template from reusing this material inside a governed evidence system to a reusable workflow inside Sorena. Teams working on ISO 27005 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.
Evidence system
Open SSOT for ISO 27005 Risk treatment plan template
Start from ISO 27005 Risk treatment plan template and keep documents, evidence, and control records in one governed system.
Explore next step
Talk to Sorena
Talk through ISO 27005
Review your current process, evidence gaps, and next steps for ISO 27005 Risk treatment plan template.
Explore next step
Related guides
Explore more topics
ISO 27005 Compliance Playbook
Operationalize ISO/IEC 27005:2022 with a practical playbook for context, criteria, risk assessment, risk treatment, residual risk acceptance, communication.
ISO 27005 FAQ
Answers to common ISO/IEC 27005 questions on risk criteria, acceptance criteria, risk owners, treatment plans, residual risk, NIST comparisons.
ISO 27005 Risk Assessment Template
Use this ISO/IEC 27005 risk assessment template to capture context, criteria, scenario details, likelihood, consequence, uncertainty, risk owner, evaluation.
ISO 27005 vs NIST SP 800-30
Compare ISO/IEC 27005 and NIST SP 800-30 to see how information security risk management guidance and risk assessment guidance fit together.