Introduction

The purpose of this plan is to define the treatment actions arising from a risk assessment exercise carried out from April 2022 to May 2022 with the scope described in the Risk Assessment Report dated 27 April 2022. The main purpose of the exercise was to assess the risks to Vertic Pty Ltd, identify which of these could be accepted and decide on actions to be taken to address the remaining unacceptable risks. The overall goal of these actions is to bring risks within defined limits of acceptability.

The process used for risk assessment and treatment within Vertic Pty Ltd is set out in the document Risk Assessment and Treatment Process which is part of the Information Security Management System (ISMS). This risk treatment plan sets out:

• Risks requiring treatment

• Risk owner

• Recommended treatment option

• Actions/Controls to be implemented

• Responsibility for the identified actions

• Estimated cost of control implementation

• Timescales for actions

• Residual risk levels after the controls have been implemented

This plan must be signed off by top management and by the relevant risk owner(s) to show agreement to the actions identified and to the levels of residual risk remaining after the treatment actions have been completed. The following people were involved in defining the actions described in this plan:

Table 1: Risk treatment team

As part of the assessment of potential treatments, the following additional people were consulted:

Table 2: People consulted

Risk treatment plan

The risk treatment plan is shown in Table 3 below. Further details of the post-treatment re-assessment of risks are given at Appendix A.

For each risk identified in the risk assessment report as needing to be treated, an approach has been agreed to take one or more of the following treatment options to reduce its risk level:

• Modify – take action to reduce either the likelihood or impact of the risk (or both)

• Share – agree or contract with a third party to share the effect of the risk

• Avoid – change the way we work or some other factor so that the risk no longer applies

The specific actions to be taken are then identified together with an action owner and a target timescale.

Each risk has been re-assessed as if the action has been completed in order to estimate the effect of the action on the level of the risk. These estimates will need to be validated at an appropriate time after the actions have been put in place to see if they were accurate. If the effect has not been as much as intended, then further actions may need to be applied to bring the risk within acceptable limits.

Where appropriate, actions are taken from the list of reference controls within Annex A of the ISO/IEC 27001 information security standard. Use of these controls and their implementation status within Vertic Pty Ltd is set out in a Statement of Applicability which is a required document within ISO/IEC 27001.

The controls set out in Annex A are supplemented by the extended and additional guidance set out in the following codes of practice:

ISO/IEC 27001 – Code of practice for information security controls

The primary exposure to Vertic’s information security is exposure of transactional data from the underlying Salesforce platform. We principally address this by configuring two-factor authentication (in case of password breaches) as well as using Salesforce’s underlying security features. We do not store or manage any client transactional data on our environments.

Actions to address the potentially insecure use of partner cloud services have also been identified and many of the controls listed in section A.15 of Annex A from the ISO/IEC 27001 standard are recommended to be implemented, together with additional measures as proposed by the ISO/IEC 27017 code of practice.

Vertic’s Organisational Risk Register can be found here.