Your glossary for risk and compliance
Helpful definitions of all of the terms you need to know to better manage risk and compliance.
TermsAFSL Authorised Representative AICPA Annex A Controls ASIC Attestation of Compliance (AOC) Business Continuity Management Communication and consultation Compliance Automation Software Compliance Risk Management Consequence Context control Cybersecurity Cybersecurity Maturity Model Certification (CMMC) FedRAMP Governance Risk & Compliance (GRC) GPDR HIPAA HITRUST How many controls are there in ISO 27001? Incident Management Information Security Management System (ISMS) ISMS Governing Body ISO 27001 ISO 27001 certified ISO/IEC 27000 ISO/IEC 27004 ISO/IEC 27005 ISO/IEC 27017 ISO/IEC 27018 Level of risk Likelihood Notifiable Data Breach OAIC Policy Management Risk Risk analysis Risk identification Risk management Risk management framework Risk management plan Risk management policy Risk management process Risk owner Risk profile Risk review Risk source Risk treatment SOC 1 SOC 2 SOC 3 SOC Reports SOC Trust Services Criteria (TSC) SSAE 16 SSAE 18 Stakeholder Third Party Risk Management Vendor Assessment Vendor Management Policy Vendor Review Vulnerability Vulnerability Management What are the ISO 27001 controls? What is an ISO 27001 internal audit? What is an ISO 27001 risk treatment plan? What is an IT security policy? What is Hacking? What is ISO 27002? What is PaaS (Platform-as-a-Service)? What is the ASD Essential 8? What is the ISO 27001 management review? What is the ISO 27001 Stage 1 Audit? What is the ISO 27001 stage 2 audit?
What is an ISO 27001 risk treatment plan?
An ISO 27001 risk treatment plan should be developed following a company’s completion of its risk assessment, documenting its actions to address each risk identified during the assessment process. When determining how to respond to an identified risk, companies typically select from options: acceptance, mitigation, transfer, and avoidance.
A risk treatment plan will frequently contain the following elements:
Summary of each of the identified risks
- Responses designed for each risk
- Assigned owner to each identified risk, who is accountable for their respective risks
- Designated risk mitigation activity owners, responsible for performing the tasks required to address the identified risks
- Target completion date for risk treatment activities
A company will subsequently determine which controls to implement to help address identified risks. Annex A of ISO 27001 provides an ideal starting point; it contains 114 controls, divided into 14 sections, each tailored to a specific aspect of information security. When selecting controls from Annex A, a company will want to begin filling out the Statement of Applicability (SoA), a list of all of the Annex A controls, including the justification for each control's inclusion or exclusion as part of the organization’s Information Security Management System (ISMS) implementation.
Back to glossary search