← Glossary·Risk

Risk Treatment

ISO 27001SOC 2

The action chosen for each identified risk: avoid, mitigate, transfer, or accept.

Risk Treatment is the selection and implementation of one of four responses to identified risk: avoid (eliminate the activity), mitigate (apply controls to reduce likelihood/impact), transfer (insurance, contractual indemnity), or accept (formally retain the residual risk).

Why it matters
Accepted risks must be approved by an authority commensurate with impact and re-reviewed periodically. Implicit acceptance is the most common audit gap.

Related terms

Risk Assessment
Structured identification, analysis, and evaluation of risks to assets, processes, or data.
ISMS (Information Security Management System)
A documented, risk-based management system for information security — the object of ISO 27001 certification.

Does your program actually cover Risk Treatment?

Run a free ComplianceIQ audit against ISO 27001 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free ISO 27001 auditBack to glossary