User
Is it necessary to implement a treatment plan for all identified risks, or is it only necessary to apply a treatment plan if a medium or high-risk is detected? I am asking this question because in my risk assessment, all the residual risks are low, and according to my policy, only medium and high risks should receive a risk treatment plan. I want to know if it's appropriate to leave low risks without a risk treatment plan or if I should create one despite all risks being low.
Experta
Please note that to be compliant with ISO 27001 you need to treat the risks evaluated as unacceptable according to the criteria defined for your risk assessment process. Therefore, besides assessing the level of risk (e.g., low, medium, and high) you also need to define which of these are unacceptable.
There are a couple of steps needed before you define your Risk treatment plan. Only after you have evaluated a risk as unacceptable and defined a treatment option (e.g., mitigate the risk, transfer the risk, avoid the risk, or accept the risk) and controls to be applied (identified in the Statement of Applicability) you should define your Risk Treatment Plan, i.e., the actions to be performed to implement the defined controls to treat the risk.
Regarding the results of your risk assessment, I’m assuming that by “all the residual risks are low” you mean “all the assessed risks are low”, because risks can be considered residual only after you have defined a treatment option. In case all your assessed risks are low, you should review your assessment because an auditor would consider this result a problem.