Powered by
Document and manage information security risk treatment decisions using digital ISO 27001 risk treatment plan templates.
Why SafetyCulture digital checklists?
Free to use for up to 10 users
Eliminate paperwork with digital checklists
Generate reports from completed checklists
In this article
Published 26 Jun 2026
Article by
5 min read
A risk treatment plan template for ISO 27001 is a structured document that records how an organization intends to address each identified information security risk. It’s used widely because ISO 27001 requires organizations to produce and maintain this plan as part of their information security management system, so having a consistent template makes it easier to demonstrate compliance during an audit.
Auditors don't just want to see a risk treatment plan — they want one that proves decisions were deliberate, documented, and traceable back to specific risks. The fields you build into the template are what make that possible.
At minimum, a ISO 27001 risk treatment plan template should capture the following fields:
Risk ID — A unique reference number linking each row to the corresponding entry in your risk register
Risk description — A clear summary of the threat and the information asset at risk
Risk owner — The name of a specific individual (not a department) who is accountable for treatment
Treatment decision — Whether the risk will be mitigated, accepted, transferred, or avoided
Selected Annex A controls — The control references from ISO 27001:2022 that address the risk
Treatment actions — The specific tasks needed to implement the selected controls
Implementation deadline — The target date for completing those actions
Implementation status — Not started, in progress, or complete
Residual risk level — The risk score after treatment actions and controls are in place
Approval sign-off — Confirmation that management has reviewed and authorized the plan
ISO 27001:2022 updated the Annex A control set from 114 controls across 14 domains to 93 controls across four themes — Organizational, People, Physical, and Technological. If your organization is certifying to the 2022 version, make sure your template uses the current control numbering.
The treatment decision column is one of the most scrutinized fields during a certification audit. ISO 31000:2018 and ISO 27001 together recognize four options:
Mitigate — Implement controls that reduce the likelihood or impact of the risk. This is the most common option and the one most directly tied to Annex A control selection.
Accept — Formally document a conscious decision to retain the risk as-is. Undocumented acceptance is one of the most frequent ISO 27001 audit findings.
Transfer — Shift the risk to a third party via insurance, outsourcing, or contract. This doesn't remove your organization's liability, only the financial or operational burden.
Avoid — Cease the activity that generates the risk. Appropriate when the risk outweighs the business value of continuing.
Whatever option is selected, the template must capture why. An auditor who sees "accept" in the decision column and nothing in the rationale field will flag it as a non-conformity.
The template works best as a response document, not a starting point. Before filling it in, have your completed risk assessment on hand — every entry should trace back to a risk that's already been identified and scored. Then, you can continue with these steps in using the template:
List each risk from your assessment. Transfer the risk ID, description, and current risk score from your risk register into the template. Keep the same numbering system so the two documents stay in sync.
Select a treatment option for each risk. Decide whether to reduce, avoid, transfer or accept the risk. The chosen option should reflect both the risk score and the cost of treatment — a low-probability risk with expensive controls may be a strong candidate for acceptance.
Map your controls. For each risk you're reducing, identify the specific ISO 27001 Annex A controls being applied. Record the control reference alongside the implementation details so auditors can trace your decisions without asking for additional context.
Assign a risk owner and a deadline. Every row needs a named individual responsible for implementing the treatment and a realistic target date. Unassigned risks tend to stay unresolved.
Record the expected residual risk. After controls are applied, estimate the revised likelihood and impact scores. This tells reviewers whether the treatment is proportionate and confirms the risk will fall within your acceptance threshold.
Get sign-off from the right authority. Route the completed plan to whoever holds approval authority for the risk levels involved. High-rated risks typically need senior leadership or a risk committee to sign off before treatment can be confirmed as accepted.
Set a review date. Treatment plans go stale. Add a review date to each entry — quarterly for high-rated risks, annually for low — and assign someone to trigger that review.
Platforms like SafetyCulture let teams build this process into digital templates, assign corrective actions directly from the register and generate audit-ready reports without reworking the document each cycle.
For reference, here is a sample filled-out risk treatment plan template for ISO 27001:
Preview Sample Risk Treatment Plan Template ISO 27001 PDF Report
Search, filter, and customize 60,000+ templates across industries and use cases.
