Treatment Plans - A Brief Template
The following headings may be suitable for many treatment registers.
Serial (Treatment ID)
Risks Treated (Risk IDs)
Cost Implications For Other Activities
Actionee (The recipient of an action item; the person assigned responsibility for a specific task or issue.)
Writing Risk Treatments - 4As
Risk treatments and recommendations can benefit from the 4A model. It can also be used to analyze the quality of existing security plans or recommendations.
Appropriate: Addresses the root cause.
Actionable: Specific timeframes, actions, resources, and accountable personnel to implement the treatment/recommendation.
Achievable: Criteria, individual judgement, or milestone by which the recommendation will be considered complete.
Agreed: Relevant personnel who were consulted and support this.
EXAMPLE: After consultation with the Head of HR and Chief Security Officer (e.g. AGREED), the team recommend that external contractors selected by the CSO will update all servers to the current software version (e.g. ACHIEVABLE) within 7 days (e.g. ACTIONABLE), and that the additional full-time staff be recruited by HR (e.g. APPROPRIATE) to commence within 30 days.