August 1, 2019

Last Updated on January 13, 2024

This short post is the fourth in a series that explains in straightforward terms the process we follow to build an ISO 27001 certifiable Information Security Management System (ISMS). You can access our entire proven process here.
We hope you find these bite-sized posts useful for understanding how ISO 27001 certification is achieved, and what it could look like for your organization. You may want to read them in order, starting with Step 1. Enjoy!
Once you understand which risks you need to address, it’s time to develop a plan to improve your security controls to reduce those risks to a level that the business is comfortable with. The group of risk treatments—ideally approved by senior management—that results from this analysis and fact-finding is your risk treatment plan.
In essence, a risk treatment plan functions as a simplified, near-term, tactically focused Information Security Plan. For many small to medium businesses, this is the only document you’ll need until you’ve effectively managed all your noteworthy risks. (More about that in the next post.)
Longer-term, there may be some value in translating the risk treatment plan into a more formal, “strategic” Information Security Plan. This document would define a longer-term vision for your information security program with a prioritized view of ongoing improvements to more effectively manage risk in alignment with management’s directive.

“In essence, a risk treatment plan functions as a simplified, near-term, tactically focused Information Security Plan.”


Have questions about ISO 27001 certification or the best way to achieve your information security goals? Contact Pivot Point Security—we specialize in advising organizations on how to manage information security risk.

Access All ISO 27001 Proven Process Step Posts Here:

  1. Understand Your Scope
  2. Understand your InfoSec Controls
  3. Identify and Analyze Information Related Risk
  4. Build a Risk Treatment Plan
  5. Execute the Risk Treatment Plan
  6. Conduct an Internal Audit
  7. Certify Your ISMS
  8. Maintenance, Continuous Improvement and Recertification

Also, here is our ISO 27001 Proven Process PDF