Risk Treatment
What is Risk Treatment?
Risk TreatmentThe decision and actions taken to modify a risk, typically by accepting, mitigating, transferring, or avoiding it, based on the organization's risk criteria.
Risk treatment is the step in the risk management cycle where assessed risks are matched with a response. The classic options are: accept (live with the residual risk), mitigate (apply controls to reduce likelihood or impact), transfer (insurance, contractual clauses, outsourcing), or avoid (stop or redesign the activity). Treatment plans specify owners, costs, timelines, target residual risk, and required controls drawn from frameworks such as ISO/IEC 27001 Annex A or NIST SP 800-53. The plan is tracked in the risk register and revisited when controls fail, threats change, or business objectives evolve. Effective treatment is proportionate to the risk and aligned with risk appetite and tolerance.
● Examples
- 01
Deploying MFA and conditional access to mitigate account takeover risk.
- 02
Buying cyber insurance to transfer part of a ransomware financial loss.
● Frequently asked questions
What is Risk Treatment?
The decision and actions taken to modify a risk, typically by accepting, mitigating, transferring, or avoiding it, based on the organization's risk criteria. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Risk Treatment mean?
The decision and actions taken to modify a risk, typically by accepting, mitigating, transferring, or avoiding it, based on the organization's risk criteria.
How does Risk Treatment work?
Risk treatment is the step in the risk management cycle where assessed risks are matched with a response. The classic options are: accept (live with the residual risk), mitigate (apply controls to reduce likelihood or impact), transfer (insurance, contractual clauses, outsourcing), or avoid (stop or redesign the activity). Treatment plans specify owners, costs, timelines, target residual risk, and required controls drawn from frameworks such as ISO/IEC 27001 Annex A or NIST SP 800-53. The plan is tracked in the risk register and revisited when controls fail, threats change, or business objectives evolve. Effective treatment is proportionate to the risk and aligned with risk appetite and tolerance.
How do you defend against Risk Treatment?
Defences for Risk Treatment typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Risk Treatment?
Common alternative names include: Risk response, Risk mitigation plan.
● Related terms
- compliance№ 936
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
- compliance№ 935
Risk Assessment
A structured activity within risk management that identifies threats, vulnerabilities, and impacts on specific assets and rates the resulting risk to support treatment decisions.
- compliance№ 937
Risk Register
A living inventory of identified risks with their description, owner, scores, treatment, and status, used to track the organization's exposure over time.
- compliance№ 923
Residual Risk
The risk that remains after planned controls and treatments have been applied, which the organization must either accept, transfer, or treat further.
- compliance№ 557
ISO/IEC 27001
The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.
- compliance№ 737
NIST SP 800-53
A NIST publication providing a comprehensive catalog of security and privacy controls for U.S. federal information systems and many private-sector adopters.
● See also
- № 934Risk Appetite
- № 938Risk Tolerance