Hi, could you please clarify whether documenting the Risk Treatment Plan is mandatory as per ISO 27001 for Audit purposes? I understand the other nuances of ISO 27001 requirements that if the organisation says it's mandatory then it would be mandatory; or that it's a best practice to document the Risk Treatment Plan. I hope you understood my peril.
![Risk Management Methodology - How to Write It? [NIS2 template overview]](http://i.ytimg.com/vi/sZerq25NAfQ/mqdefault.jpg)
![Risk Management Methodology - How to Write It? [NIS2 template overview]](/img/tr.png)
![Seungmin "그렇게, 천천히, 우리(As we are)" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/kAzmhLHePqU/mqdefault.jpg)
Hi, could you please clarify whether documenting the Risk Treatment Plan is mandatory as per ISO 27001 for Audit purposes? I understand the other nuances of ISO 27001 requirements that if the organisation says it's mandatory then it would be mandatory; or that it's a best practice to document the Risk Treatment Plan. I hope you understood my peril.
Yes, ISO 27001 requires companies to write the Risk Treatment Plan in clause 6.1.3 e).