What is Risk Treatment Plan?

A Risk Treatment Plan (RTP) documents how an organization will address each risk it has assessed, choosing among four options: modify (reduce) the risk with controls, retain (accept) it, avoid the activity causing it, or share/transfer it via insurance or contracts. In ISO 27001 the RTP links directly to the Statement of Applicability.

A risk treatment plan matters because it forces an explicit, recorded decision about every significant risk rather than leaving treatment implied. It connects the risk assessment to action: each risk maps to a chosen option, the controls that implement it, an owner, and a deadline.

For example, a company might modify the risk of phishing with security-awareness training and MFA, accept the minor residual risk that remains, and document both choices. An auditor can then trace each risk to its treatment and to the Annex A controls selected in the Statement of Applicability.

Writing an RTP from scratch is slow because it must align cleanly with the risk register and the SoA. A template provides that linked structure and the treatment-option language auditors expect, so you decide the treatments and fill in owners and dates rather than designing the framework. The document speeds audit-readiness; actually implementing the chosen controls is what reduces the risk.

Related terms: Risk Assessment · Risk Register · Statement of Applicability (SoA) · Annex A Controls

Frequently asked questions

What are the four risk treatment options?
Modify (reduce the risk by applying controls), retain (knowingly accept it), avoid (stop the activity that creates it), and share or transfer it (for example via insurance or contractual terms). ISO 27001 expects a documented choice for each risk.
How does the risk treatment plan relate to the Statement of Applicability?
The treatment plan decides which controls you will apply to each risk; the Statement of Applicability records, for all 93 Annex A controls, which are included and why. The RTP justifies the control selections the SoA documents.

Toolkits that cover Risk Treatment Plan

ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off with codeView toolkit
SOC 2 Trust Services Criteria

SOC 2 Complete Toolkit

22 policies plus the risk register, full Trust Services Criteria mapping and audit evidence checklist — built for startups facing their first SOC 2.

$9930% off with codeView toolkit
NIST CSF 2.0

NIST CSF 2.0 Complete Toolkit

15 editable policies and plans covering all six CSF 2.0 functions, plus a Profile & Assessment workbook with every one of the 106 subcategories, a risk register, and an audit evidence checklist.

$7930% off with codeView toolkit

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.