Risk Treatment Plan Template
| Property | Value |
|---|---|
| Document ID | RISK-002 |
| Version | 1.0 |
| Status | Draft |
| Owner | Chief Information Security Officer (CISO) |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | SOC 2: CC3.1-CC3.4 / ISO 27001: 6.1.3, 8.3 |
1. Purpose
This template documents how identified risks will be treated, including specific actions, responsibilities, timelines, and resources. Risk treatment plans ensure systematic reduction of risk to acceptable levels.
2. Risk Treatment Plan Overview
| Field | Value |
|---|---|
| Plan Title | [e.g., Risk Treatment Plan Q1-Q2 2026] |
| Plan Date | [date] |
| Plan Owner | [name] |
| Review Frequency | Quarterly |
| Next Review | [date] |
| Approved By | [name, date] |
3. Risk Treatment Options
| Option | Description | Considerations |
|---|---|---|
| Mitigate | Reduce likelihood or impact through controls | Cost-effectiveness, implementation complexity |
| Transfer | Shift risk to third party | Insurance coverage, contractual terms |
| Accept | Acknowledge and monitor without further action | Risk tolerance, cost of treatment |
| Avoid | Eliminate the risk by avoiding the activity | Business impact, feasibility |
4. Risk Treatment Entry Template
Treatment Entry Format
| Field | Description |
|---|---|
| Treatment ID | Unique identifier (TRT-XXXX) |
| Related Risk ID | Reference to risk register entry |
| Risk Title | Name of the risk being treated |
| Current Risk Score | Score before treatment |
| Treatment Option | Mitigate/Transfer/Accept/Avoid |
| Treatment Description | What actions will be taken |
| Expected Outcome | How risk will be reduced |
| Target Risk Score | Expected score after treatment |
| Owner | Person responsible for treatment |
| Resources Required | Budget, personnel, technology |
| Start Date | When treatment begins |
| Target Completion | When treatment should be complete |
| Milestones | Key checkpoints |
| Status | Not Started/In Progress/Complete/Delayed |
| Residual Risk | Risk remaining after treatment |
5. Sample Risk Treatment Plans
TRT-001: Ransomware Risk Mitigation
| Field | Value |
|---|---|
| Treatment ID | TRT-001 |
| Related Risk ID | RISK-2026-001 |
| Risk Title | Ransomware Attack |
| Current Risk Score | 15 (High) |
| Treatment Option | Mitigate |
| Treatment Description | Implement multi-layered ransomware defense including immutable backups, network segmentation, and enhanced endpoint protection |
| Target Risk Score | 9 (Medium) |
| Owner | CISO |
| Budget | $50,000 |
| Start Date | 2026-01-15 |
| Target Completion | 2026-06-30 |
Action Items:
| # | Action | Owner | Due Date | Status |
|---|---|---|---|---|
| 1 | Implement immutable backup solution | DevOps Lead | 2026-02-28 | In Progress |
| 2 | Configure backup air-gap storage | DevOps Lead | 2026-03-15 | Not Started |
| 3 | Deploy network segmentation | Network Eng | 2026-04-30 | Not Started |
| 4 | Implement PAM solution | Security | 2026-05-31 | Not Started |
| 5 | Conduct ransomware tabletop exercise | Security | 2026-06-15 | Not Started |
| 6 | Verify backup restore capability | DevOps | 2026-06-30 | Not Started |
TRT-002: Third-Party Risk Mitigation
| Field | Value |
|---|---|
| Treatment ID | TRT-002 |
| Related Risk ID | RISK-2026-002 |
| Risk Title | Third-Party Data Breach |
| Current Risk Score | 12 (High) |
| Treatment Option | Mitigate + Transfer |
| Treatment Description | Enhance vendor security assessment program and ensure contractual protections |
| Target Risk Score | 8 (Medium) |
| Owner | Security Lead |
| Budget | $20,000 |
| Start Date | 2026-01-15 |
| Target Completion | 2026-04-30 |
Action Items:
| # | Action | Owner | Due Date | Status |
|---|---|---|---|---|
| 1 | Complete vendor inventory | Procurement | 2026-02-15 | In Progress |
| 2 | Classify vendors by risk tier | Security | 2026-02-28 | Not Started |
| 3 | Develop enhanced security questionnaire | Security | 2026-03-15 | Not Started |
| 4 | Assess all high-risk vendors | Security | 2026-04-15 | Not Started |
| 5 | Update contract templates | Legal | 2026-03-31 | Not Started |
| 6 | Implement continuous monitoring | Security | 2026-04-30 | Not Started |
TRT-003: Phishing Risk Mitigation
| Field | Value |
|---|---|
| Treatment ID | TRT-003 |
| Related Risk ID | RISK-2026-003 |
| Risk Title | Credential Phishing |
| Current Risk Score | 12 (High) |
| Treatment Option | Mitigate |
| Treatment Description | Implement phishing-resistant MFA and enhanced security awareness program |
| Target Risk Score | 6 (Medium) |
| Owner | Security Lead |
| Budget | $15,000 |
| Start Date | 2026-01-15 |
| Target Completion | 2026-05-31 |
Action Items:
| # | Action | Owner | Due Date | Status |
|---|---|---|---|---|
| 1 | Deploy FIDO2 security keys to privileged users | IT | 2026-02-28 | In Progress |
| 2 | Enable number matching for push MFA | IT | 2026-02-15 | Complete |
| 3 | Implement phishing simulation program | Security | 2026-03-31 | Not Started |
| 4 | Deploy email link protection | IT | 2026-03-15 | Not Started |
| 5 | Conduct targeted training for high-risk roles | Security | 2026-04-30 | Not Started |
| 6 | Measure and report phishing metrics | Security | 2026-05-31 | Not Started |
6. Risk Treatment Tracking Dashboard
Summary View
| Treatment ID | Risk | Current Score | Target Score | Status | % Complete | Due Date |
|---|---|---|---|---|---|---|
| TRT-001 | Ransomware | 15 | 9 | In Progress | 15% | 2026-06-30 |
| TRT-002 | Third-Party Breach | 12 | 8 | In Progress | 10% | 2026-04-30 |
| TRT-003 | Phishing | 12 | 6 | In Progress | 20% | 2026-05-31 |
| TRT-004 | Unpatched Vulns | 9 | 4 | Not Started | 0% | 2026-04-30 |
| TRT-005 | Insider Threat | 8 | 4 | Not Started | 0% | 2026-06-30 |
Status Definitions
| Status | Description |
|---|---|
| Not Started | Treatment planning complete, execution not begun |
| In Progress | Actions underway |
| Delayed | Behind schedule |
| Complete | All actions finished |
| On Hold | Temporarily paused |
7. Risk Acceptance Record
For risks with Accept treatment option:
| Field | Value |
|---|---|
| Risk ID | [RISK-XXXX] |
| Risk Title | [title] |
| Risk Score | [score] |
| Justification | [why accepting is appropriate] |
| Compensating Controls | [any partial mitigations in place] |
| Conditions | [circumstances under which to re-evaluate] |
| Review Date | [when to reassess] |
| Accepted By | [name, title] |
| Acceptance Date | [date] |
8. Resource Requirements Summary
| Category | Q1 | Q2 | Q3 | Q4 | Total |
|---|---|---|---|---|---|
| Personnel (hours) | 200 | 300 | 150 | 100 | 750 |
| Tools/Technology | $30K | $25K | $10K | $5K | $70K |
| External Services | $10K | $15K | $5K | $0K | $30K |
| Training | $5K | $5K | $5K | $5K | $20K |
| Total | $45K | $45K | $20K | $10K | $120K |
9. Review and Approval
Treatment Plan Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| Plan Owner | _________________ | _________________ | ________ |
| CISO | _________________ | _________________ | ________ |
| Executive Sponsor | _________________ | _________________ | ________ |
Quarterly Review Record
| Review Date | Reviewed By | Key Updates | Next Review |
|---|---|---|---|
| 2026-04-01 | 2026-07-01 | ||
| 2026-07-01 | 2026-10-01 | ||
| 2026-10-01 | 2027-01-01 |
10. Evidence Requirements
| Evidence Type | Description | Location | Retention |
|---|---|---|---|
| Treatment Plans | Documented treatment strategies | GRC platform | 3 years |
| Progress Reports | Status updates and milestones | GRC/ticketing | 3 years |
| Completion Evidence | Proof of control implementation | Document repository | 3 years |
| Acceptance Records | Approved risk acceptances | GRC platform | Duration + 1 year |
| Review Records | Quarterly review documentation | Document repository | 3 years |
11. Related Documents
- Risk Assessment Template (RISK-001)
- Control Mapping Matrix (RISK-004)
- Information Security Policy (POL-001)
12. Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-11 | Security Team | Initial release |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.