...
The process used for risk assessment and treatment within Vertic Pty Ltd is set out in the document Risk Assessment and Treatment Process which is part of the Information Security Management System (ISMS). This risk treatment plan sets out:
Risks requiring treatment
Risk owner
Recommended treatment option
Actions/Controls to be implemented
Responsibility for the identified actions
Estimated cost of control implementation
Timescales for actions
Residual risk levels after the controls have been implemented
This plan must be signed off by top management and by the relevant risk owner(s) to show agreement to the actions identified and to the levels of residual risk remaining after the treatment actions have been completed. The following people were involved in defining the actions described in this plan:
...
For each risk identified in the risk assessment report as needing to be treated, an approach has been agreed to take one or more of the following treatment options to reduce its risk level:
Modify – take action to reduce either the likelihood or impact of the risk (or both)
Share – agree or contract with a third party to share the effect of the risk
Avoid – change the way we work or some other factor so that the risk no longer applies
The specific actions to be taken are then identified together with an action owner and a target timescale.
...