Treatment Types

Estimated reading: 3 minutes 256 views

Treatment types refer to the various approaches or strategies that organizations use to address and manage identified risks. Controls alone are not entirely sufficient for mitigating a risk. There is always some component of residual risk remaining. You need to remediate, continue mitigating, transfer, accept, or avoid this remaining risk. Each treatment type represents a distinct category of actions or controls applied to mitigate, transfer, or respond to a specific risk. The selection of the appropriate treatment type depends on factors such as the nature of the risk, organizational objectives, and risk tolerance.

For a more detailed explanation and visual representation, visiting the TrustRegister documentation directly would be beneficial.

Treatment Types

The following screenshot shows the “Treatment Types”.

Treatment Types


Implement a control that fully or nearly fixes the underlying risk by adding more controls or fixing the underlying cause of the risk as part of your next risk assessment.

Example: You have identified a vulnerability on a server where critical assets are stored, and you apply a patch for that vulnerability.


Reducing the likelihood and/or impact of the risk, but not fixing it entirely by adding more controls or developing a risk treatment plan independent of controls during your next assessment.

Example: You have identified a vulnerability on a server where critical assets are stored, but instead of patching the vulnerability, you implement a firewall rule that only allows specific systems to communicate with the vulnerable service on the server.


Transferring the risk to another entity so your organization can recover from the incurred costs of the risk being realized. Choosing this option can include ‘transferring risk’ to a cyber insurance policy.

Example: You purchase insurance that will cover any losses that would be incurred if vulnerable systems are exploited.


Not fixing the risk. This is appropriate in cases where the risk is clearly low and the time and effort it takes to fix the risk cost more than the costs that would be incurred if the risk were to be realized. Choosing this option may require that you provide an explanation to your auditor.

Example: You have identified a vulnerability on a server but concluded that there is nothing sensitive on that server; it cannot be used as an entry point to access other critical assets, and a successful exploit of the vulnerability is very complex. As a result, you decide you do not need to spend time and resources fixing the vulnerability.


Removing all exposure to an identified risk or continuing to ignore its impact. Choosing this option may require that you explain it to your auditor.

Example:You have identified servers with operating systems (OS) that are about to reach end-of-life and will no longer receive security patches from the OS creator. These servers process and store both sensitive and non-sensitive data. To avoid the risk of sensitive data being compromised, you quickly migrate that sensitive data to newer, patchable servers. The servers continue to run and process non-sensitive data while a plan is developed to decommission them and migrate non-sensitive data to other servers. You can do this knowing that the underlying reason is no longer valid, thereby avoiding the risk.

To learn more about TrustRegister, click here!

Join the conversation