Back to all documents
    Mandatory Policies
    mandatory
    risk
    governance

    Risk Assessment & Treatment Policy

    Defines the risk methodology, scoring and treatment approach. Mandatory under clauses 6.1.2/6.1.3.

    Failed to load preview.

    About this Risk Assessment & Treatment Policy

    The Risk Assessment & Treatment Policy is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors. It maps to clauses 6.1.2/6.1.3. of the main ISO 27001 standard.

    Defines the risk methodology, scoring and treatment approach. Mandatory under clauses 6.1.2/6.1.3. Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.

    What's inside

    • - Pre-written purpose, scope and policy statements
    • - Roles and responsibilities aligned with ISO 27001:2022
    • - Control requirements mapped to clauses 6.1.2/6.1.3.
    • - Review, approval and version-control sections
    • - Editable Word (.docx) version in the Document Pack

    Who is this for

    • - Companies pursuing ISO 27001:2022 certification
    • - ISMS managers and information security leads
    • - Consultants delivering ISO 27001 implementations
    • - Auditors preparing evidence packs for Stage 1 / Stage 2
    • - SaaS and tech teams formalizing security policies

    ISO 27001:2022 relevance

    • Clause 6.1.2 - Information security risk assessment
    • Clause 6.1.3 - Information security risk treatment
    • Clause 8.2 - Risk assessment
    • Clause 8.3 - Risk treatment

    How to customise

    • - Define your likelihood and impact scales (e.g. 1-5).
    • - Set risk acceptance criteria and approval authority.
    • - Confirm treatment options used (modify, retain, avoid, share).
    • - Reference the risk register format and review cadence.

    Evidence auditors may expect

    • - Approved methodology document
    • - Populated risk register with owners and review dates
    • - Risk treatment plan with target dates and status
    • - Evidence of risk acceptance by accountable owner

    Auditor may ask

    Q.How are risks identified, analysed, and evaluated?
    Q.Who owns each risk and how are treatments tracked?
    Q.How is risk acceptance authorised and recorded?
    Q.How is the methodology kept consistent across assessments?

    These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.

    Get the editable Risk Assessment & Treatment Policy

    Buy this template on its own for $34, or unlock the full Document Pack for $99 (one-time).