The risk treatment plan is the immediate output of the RiskAssessment. It defines how, based on the criteria established by senior management, each risk is to be handled. The options are to:
1) Knowingly accept the risk as it falls within the organisation's "risk appetite", in other words management deem the risk acceptable, compared to the cost of improving controls to mitigate it;
2) Implement a suitable control or combination of controls to reduce (mitigate) the risk to a more acceptable level. Controls may be selected from the best practices defined in ISO 17799 and/or from other sources;
3) Avoid the risk i.e. do not undertake the associated business activity;
4) Transfer the risk to another organisation (e.g. through insurance or by contractual arrangements with a business partner).