By: Dan Richards
One of the requirements of ISO 27001 is that you outline, document, and catalog the people, business processes, and technology involved in your ISO 27001 scope. Once you’ve completed this effort the next step is to identify all of the security risks that could disrupt your people, your business process, or your technology. Your risk treatment plan is the list of risks (or gaps), and your description of how you plan to mitigate those risks or gaps. The mitigation you put in place could be collected from ISO 27002 but which ever control you select should sufficiently mitigate the risk. The risk treatment plan is intended to be a working document four that outlines all of the controls that have been applied to your Information Security Management System. This document also becomes the cornerstone document for your security program because it effectively outlines all of the controls that have been selected from ISO 27001 or ISO 27002 that are appropriately mitigating the risk.