Skip to main content
Informationssicherheit / NIS2

Risk treatment

Risk treatment is the process of selecting and implementing measures to avoid, reduce, share or knowingly accept identified information security risks.

Risk treatment is the step that follows risk assessment in the information security risk management process. Once risks have been identified, analysed and evaluated against the organisation's risk acceptance criteria, the organisation decides how to deal with each risk. ISO/IEC 27005 and ISO 31000 traditionally distinguish four strategies: risk avoidance (refraining from the risk-bearing activity), risk reduction (lowering the likelihood or impact through security controls), risk sharing or transfer (for example through insurance or outsourcing to service providers) and risk acceptance (deliberately bearing the residual risk).

Within an information security management system (ISMS) under ISO/IEC 27001, risk treatment is mandatory and clearly governed: the organisation must produce a risk treatment plan, determine the controls necessary for treatment and compare them against the normative Annex A. The outcome of this comparison is documented in the Statement of Applicability, which justifies for each control whether and why it is applied or excluded. Both the risk treatment plan and the acceptance of the remaining residual risks require the approval of the risk owners.

Risk treatment is not a one-off activity but iterative: after the chosen measures have been implemented, the residual risk is re-evaluated, and if it still does not meet the acceptance criteria, a further round of treatment follows. With the NIS2 Directive and its national transposition, demonstrable, risk-based selection of measures becomes even more important, because essential and important entities must take appropriate and proportionate technical and organisational measures and prove this to supervisory authorities. Sound documentation of treatment decisions thus serves both as a management tool and as evidence of compliance.

Legal Basis

ISO/IEC 27001:2022 (clause 6.1.3, Annex A), ISO/IEC 27005, ISO 31000; Art. 21 NIS2 Directive (EU) 2022/2555

Practical Example

During the risk assessment, an information security officer finds that field staff's remote access to the CRM is protected by passwords alone, creating a high risk of account takeover. As risk treatment she chooses a reduction strategy: she makes multi-factor authentication mandatory and adds logging of sign-in attempts. In the risk treatment plan she assigns the responsible IT manager as the owner of the measure along with an implementation deadline, links it to the corresponding control in the Statement of Applicability, and has the remaining residual risk formally accepted and signed off by the risk owner in the sales department.

FAQ

The four classic options are risk avoidance, risk reduction, risk sharing or transfer, and risk acceptance. Avoidance means refraining from the risk-bearing activity, reduction means lowering the risk through security controls, sharing means transferring it, for example via insurance or outsourcing, and acceptance means deliberately bearing the residual risk.
Risk assessment identifies, analyses and evaluates risks and produces a prioritised overview. Risk treatment builds on this and decides which measures handle each risk, then implements them. Assessment answers how big a risk is, while treatment answers what you do about it.
The measures selected in the risk treatment plan are compared against Annex A of ISO/IEC 27001. The outcome is recorded in the Statement of Applicability, which justifies for each control whether it is applied or excluded. The Statement of Applicability therefore links the treatment decisions transparently to the standard.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Risk Assessment Risk management Statement of Applicability (SoA) ISMS (Information Security Management System) ISO 27001
Back to Glossary