Most people think risk assessment is the most difficult part of implementing ISO 27001 – true, risk assessment is probably the most complex, but risk treatment is definitely the one that is more strategic and more costly.
The purpose of risk treatment seems rather simple: to control the risks identified during the risk assessment; in most cases this would mean to decrease the risk by reducing the likelihood of an incident (e.g., by using nonflammable building materials), and/or to reduce the impact on assets (e.g., by using automatic fire-suppression systems). During the risk treatment the organization should focus on those risks that are not acceptable; otherwise, it would be difficult to define priorities and to finance the mitigation of all the identified risks.
See also: ISO 27001 risk assessment & treatment – 6 basic steps.
4 most common treatment options
Once you have a list of unacceptable risks, you have to go one by one and decide how to treat each – usually, these options are applied:
- Decrease the risk – this option is the most common, and it includes implementation of safeguards (controls) – like fire-suppression systems, etc.
- Avoid the risk – stop performing certain tasks or processes if they incur such risks that are simply too big to mitigate with any other options – e.g., you can decide to ban the usage of laptops outside of the company premises if the risk of unauthorized access to those laptops is too high (because, e.g., such hacks could halt the complete IT infrastructure you are using).
- Share the risk – this means you transfer the risk to another party – e.g., you buy an insurance policy for your building against fire, and therefore you transfer part of your financial risk to an insurance company. Unfortunately, this option does not have any influence on the incident itself, so the best strategy is to use this option together with options 1) and 2).
- Retain the risk – this is the least desirable option, and it means your organization accepts the risk without doing anything about it. This option should be used only if the mitigation cost would be higher than the damage an incident would incur.
Decreasing the risks is the most common option for treating the risks, and for that purpose the controls from ISO 27001 Annex A are used (and any other controls that a company thinks are appropriate). See here how the controls are organized: Overview of ISO 27001:2013 Annex A.
Before you start the risk treatment
Before starting the risk treatment process, you should be aware of the main inputs: these are Risk Management Methodology and unacceptable risks from the risk assessment; however, an additional input should also be the available budget for the current year, because very often the mitigation will require an investment.
When selecting new controls, basically there are three types of controls:
- Defining new rules: rules are documented through plans, policies, procedures, instructions, etc., although you don’t have to document some less complex processes.
- Implementing new technology: for example, backup systems, disaster recovery locations for alternative data centers, etc.
- Changing the organizational structure: in some cases, you will need to introduce a new job function, or change the responsibilities of an existing position.
Deciding which controls to select
Risk treatment is a step where you normally wouldn’t include a very wide circle of people – you will have to brainstorm on each treatment option with specialists in your company who focus on certain areas. For example, if the treatment has to do with IT, you will speak to your IT guys; if it is about new trainings, you will speak to human resources, etc.
Of course, the final decision about some new treatment option will require a decision from the appropriate management level – sometimes the CISO will be able to make such decisions, sometimes it will be your project team, sometimes you will have to go to the department head in charge of a particular field (e.g., head of the legal department if you ask for additional clauses in the contracts with your partners), or perhaps to the executive level for larger investments. If you have doubts regarding who can decide what, consult with your project sponsor.
The process of risk treatment is very often documented similarly to the process of risk assessment – through Excel sheets or a tool, and finally, in the Risk treatment report. An example of a risk treatment table might look something like this:
| Asset | Threat | Vulnerability | Treatment option | Means of implementation |
| Server | Fire | No fire extinguisher | 1) Decrease risk + 2) Share risk | Purchase fire extinguisher + buy insurance policy against fire |
| Laptop | Access by unauthorized persons | Inadequate password | 1) Decrease risk | Write Password Policy |
| System administrator | Leaving the company | No replacement | 1) Decrease risk | Hire second system administrator who will learn everything the first one does |
If you choose to measure residual risks, it should be done together with responsible persons in departments – you have to show them which treatment options you have planned for, and based on this information, and using the same scales, you have to assess the residual risk for every unacceptable risk identified earlier during risk assessment. So, for instance, if you had identified a consequence of level 4 and likelihood of level 5 during your risk assessment (which would mean risk of 9 by the method of addition), your residual risk may be 5 if you assessed that the consequence would lower to 3 and likelihood to 2 due to, e.g., safeguards you planned to implement.
Be creative!
When considering these options, and particularly safeguards that involve an investment in technology, please beware of the following: very often the first idea that comes to mind will be the most expensive – therefore, think hard before you purchase some expensive new system. Sometimes alternatives will exist that will be equally effective, but with lower cost. Also, be aware that most of the risks exist because of human behavior, not because of machines – therefore, it is questionable whether a machine is the solution to such a problem.
In other words, this is where you need to get creative – you need to figure out how to decrease the risks with minimum investment. It would be the easiest if your budget was unlimited, but that is never going to happen. And, I must tell you that unfortunately, your management is right – it is possible to achieve the same result with less money – you only need to be clever enough to come up with a solution.
This article is an excerpt from the new book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own. 
The post 4 mitigation options in risk treatment according to ISO 27001 appeared first on 27001Academy.