What is a risk treatment plan?

A risk treatment plan documents the decisions made about each identified risk: whether to mitigate, accept, transfer, or avoid it. It includes the chosen treatment option, specific controls or actions, responsible owners, timelines, residual risk levels, and acceptance criteria. ISO 27001 Clause 6.1.3 specifically requires organizations to formulate a risk treatment plan.

What are the four risk treatment options?

The four standard options are: Mitigate (implement controls to reduce likelihood or impact), Accept (acknowledge the risk falls within appetite and document the rationale), Transfer (shift the risk to a third party via insurance, outsourcing, or contracts), and Avoid (eliminate the activity or condition that creates the risk). Most risks end up being mitigated or accepted.

How does a risk treatment plan differ from a risk register?

A risk register identifies and assesses risks — it documents what could go wrong, how likely it is, and what the impact would be. A risk treatment plan documents what you are going to do about each risk. The register feeds the treatment plan. In CisoDeck, risks flow directly from the register into the treatment plan with treatment options, actions, and owners.

Is this template aligned to ISO 27001?

Yes. The template follows ISO 27001:2022 Clause 6.1.3 requirements for risk treatment planning. It includes treatment option selection, control mapping to Annex A, residual risk calculation, risk owner assignment, and formal acceptance documentation. It also maps to NIST CSF 2.0 and SOC 2 criteria.

Can I track treatment plan progress across multiple clients?

Yes. CisoDeck provides a multi-client workspace where each client has their own risk register and treatment plan. You can see treatment plan completion rates, overdue actions, and residual risk levels across your entire portfolio from one dashboard.

Is this risk treatment plan template free?

Yes. You can generate risk treatment plans during CisoDeck's 14-day free trial with no credit card required. After the trial, all plans starting at $49/mo include risk treatment planning. The template is production-ready for vCISO engagements.

Free Risk Treatment Plan Template

A risk treatment plan documents how your client will respond to each identified cybersecurity risk — whether to mitigate it with controls, accept it within appetite, transfer it via insurance, or avoid it entirely. CisoDeck helps vCISOs generate structured, framework-aligned treatment plans that flow directly from the risk register, eliminating the manual work of building treatment matrices in spreadsheets.

Key takeaways

Four treatment options per risk: mitigate, accept, transfer, or avoid
Auto-maps controls to ISO 27001 Annex A and NIST CSF 2.0
Calculates residual risk after treatment for management sign-off
Tracks treatment actions with owners, deadlines, and completion status
Generates branded PDF treatment plans for audit and board review

Why do vCISOs need a risk treatment plan template?

Identifying risks is only half the job. The real value a vCISO provides is guiding clients through treatment decisions — helping them allocate security budget to the risks that matter most. A structured treatment plan turns a list of vulnerabilities into an actionable roadmap with clear ownership and timelines.

Without a treatment plan, risk registers become shelf-ware. Risks get identified in assessments but nothing changes. A treatment plan creates accountability: every risk has an owner, a deadline, and a documented decision. That is what auditors want to see, and it is what earns client renewals.

What should a risk treatment plan include?

Treatment Decision

The chosen option (mitigate, accept, transfer, avoid) with documented rationale and alignment to the organization's risk appetite.

Controls & Actions

Specific security controls mapped to frameworks, implementation actions, responsible owners, and target completion dates.

Residual Risk

Recalculated likelihood and impact after treatment, showing the expected risk reduction and whether residual risk falls within appetite.

Acceptance Sign-off

Formal documentation of risk acceptance by authorized management, with date, signature line, and review schedule.

How do you build a risk treatment plan with CisoDeck?

Import risks from the risk register

Select assessed risks from your client's risk register. Each risk carries its inherent likelihood, impact, and severity rating into the treatment plan.

Select treatment options

For each risk, choose mitigate, accept, transfer, or avoid. Document the rationale for the chosen option and link it to the organization's risk appetite statement.

Define controls and actions

Map specific controls (ISO 27001 Annex A, NIST CSF 2.0) to each risk being mitigated. Assign owners, set deadlines, and estimate implementation effort.

Calculate residual risk and generate report

CisoDeck calculates residual risk after treatment. Generate a branded PDF showing the treatment plan, residual risk heatmap, and acceptance sign-off for management review.

Frequently asked questions

What is a risk treatment plan?: A risk treatment plan documents the decisions made about each identified risk: whether to mitigate, accept, transfer, or avoid it. It includes the chosen treatment option, specific controls or actions, responsible owners, timelines, residual risk levels, and acceptance criteria. ISO 27001 Clause 6.1.3 specifically requires organizations to formulate a risk treatment plan.
What are the four risk treatment options?: The four standard options are: Mitigate (implement controls to reduce likelihood or impact), Accept (acknowledge the risk falls within appetite and document the rationale), Transfer (shift the risk to a third party via insurance, outsourcing, or contracts), and Avoid (eliminate the activity or condition that creates the risk). Most risks end up being mitigated or accepted.
How does a risk treatment plan differ from a risk register?: A risk register identifies and assesses risks — it documents what could go wrong, how likely it is, and what the impact would be. A risk treatment plan documents what you are going to do about each risk. The register feeds the treatment plan. In CisoDeck, risks flow directly from the register into the treatment plan with treatment options, actions, and owners.
Is this template aligned to ISO 27001?: Yes. The template follows ISO 27001:2022 Clause 6.1.3 requirements for risk treatment planning. It includes treatment option selection, control mapping to Annex A, residual risk calculation, risk owner assignment, and formal acceptance documentation. It also maps to NIST CSF 2.0 and SOC 2 criteria.
Can I track treatment plan progress across multiple clients?: Yes. CisoDeck provides a multi-client workspace where each client has their own risk register and treatment plan. You can see treatment plan completion rates, overdue actions, and residual risk levels across your entire portfolio from one dashboard.
Is this risk treatment plan template free?: Yes. You can generate risk treatment plans during CisoDeck's 14-day free trial with no credit card required. After the trial, all plans starting at $49/mo include risk treatment planning. The template is production-ready for vCISO engagements.

Risk Register Tool Risk Acceptance Forms Assessment Reports Board Reports Project Risk Register