Document ID: ISMS-RTP-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Information Security Manager
Purpose
This plan documents the agreed treatment actions for all risks rated High or Critical in the Risk Register (ISMS-RISK-001), in accordance with ISO/IEC 27001:2022 Clauses 6.1.3 and 8.3. It translates risk decisions into concrete, owned, time-bound actions with defined evidence of completion and tracks the expected reduction in residual risk score.
This document is reviewed monthly by the ISM and formally at each Management Review (Clause 9.3). Treatment owners are responsible for providing progress updates to the ISM no less than monthly.
Treatment Actions
| Risk ID | Risk Description | Treatment Action | Controls Applied (Annex A) | Owner | Budget Estimate | Start Date | Target Completion | Completion Evidence | Residual Risk Score | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| R-001 | Ransomware encryption of client SIEM data โ unpatched systems, no offline backup | 1. Enforce patch management SLA: critical CVEs patched within 30 days; configure automated scanning with Tenable or Qualys. 2. Implement immutable offline backup: daily encrypted backup to air-gapped or write-once cloud storage. 3. Monthly backup restore test with documented evidence. | 8.8 (Patch management), 8.13 (Backup) | SOC Manager | $5,000 one-off + $1,200/yr scanning licence | 2026-03-01 | 2026-04-30 | Patch compliance dashboard showing 100% within SLA; backup restore test report signed by ISM | 8 | In Progress |
| R-002 | Phishing / no MFA on Microsoft 365 โ account takeover risk | 1. Enable Entra ID Conditional Access policy requiring MFA for all users on all applications. 2. Block legacy authentication protocols (IMAP, POP3, SMTP AUTH). 3. Deploy phishing-resistant MFA (FIDO2 keys) for privileged accounts. | 8.5 (Secure authentication) | IT Manager | $2,000 one-off (hardware tokens for privileged users) | 2026-03-01 | 2026-03-31 | Conditional Access policy screenshot showing 0 exclusions; MFA enforcement compliance report from Entra ID; sign-in log confirming no legacy auth | 4 | Complete |
| R-003 | AWS misconfiguration / no automated configuration scanning โ public exposure of client data | 1. Deploy AWS Config with managed rule sets (s3-bucket-public-read-prohibited, restricted-ssh, etc.). 2. Enable AWS Security Hub with AWS Foundational Security Best Practices standard. 3. Implement auto-remediation Lambda for critical findings. 4. Quarterly manual review by Cloud Lead. | 8.7 (Malware/config protection), 5.37 (Operating procedures) | Cloud Lead | $3,500/yr (Security Hub + Config costs) | 2026-03-15 | 2026-04-15 | AWS Security Hub conformance report showing 0 critical findings; Config rule compliance report; auto-remediation log | 6 | In Progress |
| R-005 | Client report archive โ unauthorised access due to broad permissions | 1. Audit all SharePoint report library permissions; remove all group-based access. 2. Implement named individual RBAC โ read access for report recipients only; write for report authors; admin for ISM. 3. Schedule quarterly access review in Entra ID Access Reviews. | 5.15 (Access control), 5.18 (Access rights) | ISM | $0 (existing tooling) | 2026-03-01 | 2026-03-31 | Access review report showing all permissions verified; SharePoint permission report; Entra ID Access Review completion certificate | 3 | Complete |
| R-008 | Business Email Compromise / no DMARC enforcement โ CEO fraud wire transfer risk | 1. Set DMARC policy to reject (p=reject) on all owned domains; verify SPF and DKIM records. 2. Establish dual-approval procedure for all wire transfers exceeding $5,000 โ documented in finance procedure. 3. Conduct BEC awareness training with simulated CEO fraud scenario. | 8.23 (Web/email filtering), 5.20 (Supplier agreements and controls) | CISO | $1,000 (DMARC monitoring tool + training) | 2026-03-01 | 2026-03-31 | MXToolbox DMARC checker output confirming reject policy; finance procedure document signed by CFO; training completion records | 4 | In Progress |
| R-009 | VPN brute force โ no lockout, no MFA on remote access | 1. Enable VPN account lockout after 5 failed authentication attempts with 15-minute lockout period. 2. Enforce MFA for VPN authentication using hardware token or authenticator app. 3. Enable VPN authentication failure alerting to SIEM. | 8.5 (Secure authentication), 8.15 (Logging) | IT Manager | $0 (configuration change only) | 2026-03-01 | 2026-03-31 | VPN configuration screenshot showing lockout and MFA settings; SIEM alert rule screenshot; test evidence (failed login attempt followed by lockout) | 3 | Complete |
| R-010 | Backup failure โ backups not tested, no alerting | 1. Configure automated backup job monitoring with alerting to IT Manager and CISO on failure. 2. Implement monthly backup restore test procedure: restore random selection of files to isolated test environment; document result. 3. Include backup health status in weekly IT dashboard. | 8.13 (Information backup) | IT Manager | $500 (monitoring tool or cloud alerting configuration) | 2026-03-15 | 2026-04-30 | Monthly restore test log for March and April 2026; backup monitoring alert configuration evidence; IT dashboard showing backup status | 4 | In Progress |
| R-011 | Developer secrets (API keys, credentials) committed to GitHub | 1. Enable GitGuardian or GitHub Advanced Security on all repositories in the organisation. 2. Configure pre-commit hooks via pre-commit framework to scan for secrets before commit is accepted. 3. Conduct developer security awareness session on secure credential handling. 4. Rotate any existing credentials found in repository history. | 8.25 (Secure development lifecycle), 8.8 (Vulnerability management) | Technical Director | $2,400/yr (GitGuardian Business licence) | 2026-03-15 | 2026-04-15 | GitGuardian dashboard showing all repos covered; pre-commit hook configuration in repository; training attendance record; evidence of any credential rotation completed | 3 | Planned |
| R-012 | SIEM vendor breach โ no security contract or DPA | 1. Engage legal counsel to draft security addendum to SIEM vendor contract including: minimum security controls, 72-hour breach notification, DPA, right to audit or receive audit report, data deletion on termination. 2. Negotiate and obtain signed contract amendment. 3. Add vendor to annual security review schedule. | 5.19 (Supplier security), 5.22 (Monitoring supplier services) | Legal / CISO | $0 internal time + external legal cost estimate $3,000 | 2026-04-01 | 2026-05-31 | Signed contract amendment including all required clauses; vendor added to supplier register with review date; DPA countersigned | 5 | Planned |
| R-004 | Insider misuse of penetration testing offensive tools โ no lab egress controls or logging | 1. Implement network segmentation for lab VLAN with egress filtering: allow only approved test target IP ranges via change request; block all other outbound. 2. Deploy logging of tool execution commands to centralised SIEM via agent on lab systems. 3. Mandate individual named accounts for all offensive tools โ remove shared accounts. 4. Conduct annual background checks for all lab staff. | 8.22 (Network segregation), 8.15 (Logging) | Technical Director | $4,000 (firewall rule implementation + SIEM agent licences) | 2026-04-01 | 2026-05-31 | Network diagram showing updated lab VLAN segmentation; firewall egress ruleset; SIEM alert rule for lab tool execution; individual account list confirming no shared accounts; background check completion records | 4 | Planned |
Risk Acceptance Register
The following risks have been formally accepted. Acceptance means the organisation acknowledges the risk and has determined that no further treatment is required beyond existing controls, within the current risk appetite.
| Risk ID | Risk Description | Risk Score | Acceptance Rationale | Accepted By | Date | Review Date |
|---|---|---|---|---|---|---|
| R-007 (Interim) | Physical CCTV gap in server room | 8 (Medium) | CCTV installation is planned for Q2 2026. Interim compensating controls: server room door requires badge access; access log reviewed monthly; no unescorted visitor access. Risk accepted on interim basis pending capital expenditure approval. | CISO | March 2026 | June 2026 |
| R-013 (Interim) | No 802.1X on office network | 6 (Medium) | 802.1X implementation is planned for Q2 2026. Interim compensating controls: office has physical access controls; network segmentation partially in place; no client data traverses office network. Risk accepted on interim basis. | ISM | March 2026 | June 2026 |
Residual Risk Summary
| Risk ID | Risk Description | Initial Score | Treatment Applied | Residual Score | Change |
|---|---|---|---|---|---|
| R-001 | Ransomware / unpatched SOC platform | 20 (Critical) | Patching SLA + immutable backup | 8 (Medium) | -12 |
| R-002 | Phishing / no MFA on M365 | 20 (Critical) | MFA enforced + legacy auth blocked | 4 (Low) | -16 |
| R-003 | AWS misconfiguration | 15 (Critical) | AWS Config + Security Hub + auto-remediation | 6 (Medium) | -9 |
| R-004 | Insider tooling misuse | 10 (High) | Lab segmentation + logging + individual accounts | 4 (Low) | -6 |
| R-005 | Client report overly broad access | 12 (High) | RBAC + quarterly access review | 3 (Low) | -9 |
| R-006 | HR SaaS / no SSO or MFA | 12 (High) | SSO + MFA enforcement | 4 (Low) | -8 |
| R-008 | BEC / no DMARC | 16 (Critical) | DMARC reject + dual-approval finance procedure | 4 (Low) | -12 |
| R-009 | VPN brute force / no lockout | 12 (High) | Lockout policy + MFA on VPN | 3 (Low) | -9 |
| R-010 | Backup not tested / no alerting | 12 (High) | Monthly restore testing + alerting | 4 (Low) | -8 |
| R-011 | Secrets in GitHub repos | 12 (High) | GitGuardian + pre-commit hooks | 3 (Low) | -9 |
| R-012 | Vendor breach / no DPA | 10 (High) | Security contract addendum + annual review | 5 (Medium) | -5 |
Review History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [ISM Name] | Initial issue |