Risk Treatment Plan (ISO 27001:2022 clause 6.1.3)
Document ID: risk-treatment-plan
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Quarterly
Living document
The canonical risk register is maintained in the compliance portal at /compliance/risks. This document describes the treatment methodology; individual risks and mitigations are tracked dynamically in D1.
Risk assessment methodology
Scoring
Inherent risk score = Likelihood (1–5) × Impact (1–5), giving a 1–25 scale.
| Score | Band | Treatment default |
|---|---|---|
| 20–25 | Critical | Must treat — implement control within 30 days |
| 12–19 | High | Treat or document acceptance with review |
| 6–11 | Medium | Treat in next quarter or formally accept |
| 1–5 | Low | Accept with annual review |
Likelihood scale
| Value | Description |
|---|---|
| 1 | Rare — unlikely in 5 years |
| 2 | Unlikely — could happen once in 5 years |
| 3 | Possible — once per year |
| 4 | Likely — several times per year |
| 5 | Almost certain — monthly or more |
Impact scale
| Value | Description |
|---|---|
| 1 | Negligible — no customer impact |
| 2 | Minor — brief degradation; no data exposure |
| 3 | Moderate — temporary service disruption or limited data exposure |
| 4 | Significant — extended outage or material data breach |
| 5 | Catastrophic — complete data loss, regulatory action, company-ending |
Treatment options
| Option | When to use | How recorded |
|---|---|---|
| Modify (implement control) | Residual risk > acceptable threshold | Mitigation added to risk_mitigations; linked to control |
| Accept | Residual risk ≤ threshold, or cost of control exceeds benefit | status = 'accepted' in risk register with rationale |
| Transfer | Risk can be shared via insurance or contractual terms | Vendor/insurance clause documented in notes |
| Avoid | Risk eliminated by not doing the risky activity | Risk closed; activity constrained |
Risk categories in scope
| Category | Example risks |
|---|---|
| Security | Credential compromise, CVE in dependency, insider threat |
| Availability | Cloudflare outage, D1 corruption, signing key loss |
| Confidentiality | Customer data exfiltration, PII in logs |
| Processing integrity | Evidence signing failure, Merkle chain break |
| Vendor | Vendor SOC 2 lapse, vendor breach |
| Regulatory | GDPR breach notification, Stripe PCI non-compliance |
Residual risk acceptance
The founder/CEO is the risk owner and has authority to accept residual risk up to a score of 9 (Medium band). Risks ≥ 10 must be mitigated before acceptance.
Review cadence
- Quarterly: All open and accepted risks reviewed via
risk-register-reviewcollector - On new incident/vulnerability: Risk register updated within 48 hours
- Annual: Full risk assessment revisited alongside SoA and ISMS policy reviews
Evidence
| Collector | Cadence | Control |
|---|---|---|
risk-register-review | Quarterly | A.5.4 |
incident-log | Monthly | A.5.24–A.5.28 |