• jt

Writing Treatment Plans

Treatment Plans - A Brief Template


The following headings may be suitable for many treatment registers.

  • Serial (Treatment ID)

  • Treatment

  • Description

  • Risks Treated (Risk IDs)

  • Initial Cost

  • Ongoing/Recurrent Cost

  • Priority

  • Cost Implications For Other Activities

  • Acceptance (Yes/No)

  • Actionee (The recipient of an action item; the person assigned responsibility for a specific task or issue.)

  • Due Date


Writing Risk Treatments - 4As

Risk treatments and recommendations can benefit from the 4A model. It can also be used to analyze the quality of existing security plans or recommendations.

  • Appropriate: Addresses the root cause.

  • Actionable: Specific timeframes, actions, resources, and accountable personnel to implement the treatment/recommendation.

  • Achievable: Criteria, individual judgement, or milestone by which the recommendation will be considered complete.

  • Agreed: Relevant personnel who were consulted and support this.

EXAMPLE: After consultation with the Head of HR and Chief Security Officer (e.g. AGREED), the team recommend that external contractors selected by the CSO will update all servers to the current software version (e.g. ACHIEVABLE) within 7 days (e.g. ACTIONABLE), and that the additional full-time staff be recruited by HR (e.g. APPROPRIATE) to commence within 30 days.

14 views

Recent Posts

See All

The SRMBOK Maturity Model

Security Risk Management Body Of Knowledge (SRMBOK) The SRMBOK maturity model addresses the following four levels: Level 1 INITIAL Level 2 BASIC Level 3 REPEATABLE Level 4 OPTIMIZING The model also ad

©2019 by Julian Talbot