Risk Treatment Plan
Version: 2.1
Status: Approved
Last modified: March 2025
Next Review Date: September 2025
ISO Statement
oboloo Ltd is actively preparing for ISO/IEC 27001 certification and has implemented this Risk Treatment Plan in accordance with ISO/IEC 27001:2022 Clause 6.1.3 and Annex A. This Plan supports the effective management of information security risks identified through oboloo’s formal Risk Assessment Methodology and aligns with applicable control objectives.
Introduction
This Risk Treatment Plan outlines how oboloo Ltd responds to identified information security risks using structured, transparent strategies. It ensures that identified risks are addressed in a consistent and timely manner to maintain the confidentiality, integrity, and availability of systems and data, in line with ISO/IEC 27001 requirements.
Definitions
Risk Treatment – Actions taken to modify or control risk, including avoidance, mitigation, transfer, or acceptance.
Residual Risk – The remaining risk after treatment actions have been applied.
Risk Register – A central record of identified risks, evaluations, treatment actions, responsible owners, and status.
Who We Are and How to Contact Us
Company Name: oboloo Ltd
Company Number: 12420854
Trading Address: 7 Bell Yard, London, England, WC2A 2JR
Contact Email: hello@oboloo.com
Changes to This Policy
This policy is reviewed bi-annually or upon significant changes to oboloo’s risk environment, business operations, or regulatory landscape. Updates are approved by the Information Security Manager and communicated to all relevant stakeholders.
Related Policies
Risk Assessment Methodology
Information Security Policy
Incident Response Plan
Purpose
The purpose of this Risk Treatment Plan is to define how oboloo Ltd treats identified information security risks through the application of appropriate strategies, the assignment of responsibilities, and the establishment of implementation deadlines. This ensures risks are managed in accordance with oboloo’s risk appetite and ISO/IEC 27001 compliance objectives.
Scope
This Plan applies to all information assets, processes, personnel, systems, and third-party relationships that fall within the scope of oboloo’s Information Security Management System (ISMS). It includes treatment of all risks that exceed acceptable thresholds as documented in the Risk Register.
Risk Treatment Process
Risk Identification
Risks are identified through formal assessments, audits, incidents, or changes in technology or regulation.Risk Evaluation
Each risk is evaluated based on likelihood and impact using oboloo’s defined risk matrix. Unacceptable risks are flagged for treatment.Treatment Options
For each risk, one or more of the following options is selected:Avoid: Cease the activity causing the risk.
Mitigate: Apply security controls to reduce likelihood or impact.
Transfer: Share the risk via outsourcing or insurance.
Accept: Document and approve residual risk if within appetite.
Implementation of Controls
Controls aligned with ISO/IEC 27001 Annex A are defined for each treated risk. Actions are assigned owners and target deadlines.
Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Head of Security | Oversees the treatment process, validates completion |
| Risk Owners | Implement assigned controls, report status |
| Executive Team | Approves residual risk acceptance |
| Internal Audit | Validates adherence to the plan during review cycles |
Risk Treatment Status Tracking
Treatment progress is tracked in the central risk register using the following status categories:
| Status | Description | ||
|---|---|---|---|
|
Planned
|
Action is defined but not yet started
|
||
|
In Progress
|
Work is underway to implement the treatment
|
||
|
Completed
|
Control or change has been implemented and verified
|
||
|
Accepted
|
Risk is documented and formally accepted by leadership
|
||
|
Deferred
|
Action postponed with justification and review schedule
|
ISO/IEC 27001 Annex A Mapping
| Policy Section | ISO/IEC 27001 Control Ref | Description | |
|---|---|---|---|
|
Treatment Strategy
|
A.6.1.3
|
Risk treatment and decision-making
|
|
|
Risk Ownership
|
A.5.1.2
|
Assigning responsibilities
|
|
|
Status Tracking
|
A.8.1
|
Asset and risk tracking
|
|
|
Risk Acceptance
|
A.6.1.3
|
Approval of residual risk
|
|
Review and Update of the Methodology
Risk treatment actions are monitored through internal audits, monthly management reviews, and continuous improvement cycles. Residual risks are reassessed quarterly. The plan is updated as needed based on changing risk exposure or audit findings.
Document Control
Version: 2.1
Date: March 2025
Description: Updated to include status tracking table and risk acceptance process
Previous Versions:
-
Version 2.0 (Oct 2024): Aligned with ISO/IEC 27001:2022
-
Version 1.0 (June 2024): Initial implementation