This Risk Treatment Plan outlines how oboloo Ltd responds to identified information security risks using structured, transparent strategies. It ensures that identified risks are addressed in a consistent and timely manner to maintain the confidentiality, integrity, and availability of systems and data, in line with ISO/IEC 27001 requirements.

- Risk Treatment – Actions taken to modify or control risk, including avoidance, mitigation, transfer, or acceptance.

- Residual Risk – The remaining risk after treatment actions have been applied.

- Risk Register – A central record of identified risks, evaluations, treatment actions, responsible owners, and status.

Company Name: oboloo Limited
Company Number: 12420854
Trading Address: 7 Bell Yard, London, England, WC2A 2JR
Contact: oboloo.com/contact-us

This policy is reviewed bi-annually or upon significant changes to oboloo’s risk environment, business operations, or regulatory landscape. Updates are approved by the Information Security Manager and communicated to all relevant stakeholders.

The purpose of this Risk Treatment Plan is to define how oboloo Ltd treats identified information security risks through the application of appropriate strategies, the assignment of responsibilities, and the establishment of implementation deadlines. This ensures risks are managed in accordance with oboloo’s risk appetite and ISO/IEC 27001 compliance objectives.

This Plan applies to all information assets, processes, personnel, systems, and third-party relationships that fall within the scope of oboloo’s Information Security Management System (ISMS). It includes treatment of all risks that exceed acceptable thresholds as documented in the Risk Register.

1. Risk Identification
Risks are identified through formal assessments, audits, incidents, or changes in technology or regulation.

2. Risk Evaluation
Each risk is evaluated based on likelihood and impact using oboloo’s defined risk matrix. Unacceptable risks are flagged for treatment.

3. Treatment Options
For each risk, one or more of the following options is selected:

- Avoid: Cease the activity causing the risk.
- Mitigate: Apply security controls to reduce likelihood or impact.
- Transfer: Share the risk via outsourcing or insurance.
- Accept: Document and approve residual risk if within appetite.

4. Implementation of Controls
Controls aligned with ISO/IEC 27001 Annex A are defined for each treated risk. Actions are assigned owners and target deadlines.

- Head of Security: Oversees the treatment process, validates completion
- Risk Owners: Implement assigned controls, report status
- Executive Team: Approves residual risk acceptance
- Internal Audit: Validates adherence to the plan during review cycles

Treatment progress is tracked in the central risk register using the following status categories:

- Planned: Action is defined but not yet started
- In Progress: Work is underway to implement the treatment
- Completed: Control or change has been implemented and verified
- Accepted: Risk is documented and formally accepted by leadership
- Deferred: Action postponed with justification and review schedule

- Treatment Strategy (A.6.1.3) - Risk treatment and decision-making
- Risk Ownership (A.5.1.2) - Assigning responsibilities
- Status Tracking (A.8.1) - Asset and risk tracking
- Risk Acceptance (A.6.1.3) - Approval of residual risk

Risk treatment actions are monitored through internal audits, monthly management reviews, and continuous improvement cycles. Residual risks are reassessed quarterly. The plan is updated as needed based on changing risk exposure or audit findings.

Version: 2.1
Date: March 2025
Description: Updated to include status tracking table and risk acceptance process

Previous Versions:
- Version 2.0 (Oct 2024): Aligned with ISO/IEC 27001:2022
- Version 1.0 (June 2024): Initial implementation