.docx ✓ Professional Edition Updated Q1 2026

AI Risk Treatment Plan

A complete risk treatment planning template covering all four treatment options (avoid, reduce, transfer, accept) with control selection methodology, implementation guidance, and monitoring KPIs. Includes a four-framework crosswalk and treatment decision authority matrix. Built for organizations operationalizing their AI risk management program.

Sections

Pages

Frameworks

3–5hr

To Deploy

NIST AI RMF 1.0 EU AI Act 2024 ISO 42001:2023 ISO 27001:2022

Build vs. Buy

From scratch

Research 4 frameworks6 hrs = $90

Draft 28 pages6 hrs = $90

Internal review cycle3 hrs = $45

Cross-mapping 4 frameworks3 hrs = $45

18 hours$270

This template

Purchase$30.00

Customize for your org3 hrs = $45

CitationsIncluded

CrosswalkIncluded

3 hours$75

$195 saved

15 hours back | 7:1 ROI on $30.00

At $30/hr. The price of this template as the hourly rate

“What if I use AI to write it?”

AI makes drafting faster, but it doesn’t reduce the total work. You still need the source framework documents, a way to verify what the AI produces, and SME-level expertise to catch what it gets wrong. AI hallucinates article numbers, invents control IDs, and generates crosswalk tables that look authoritative but aren’t. Every citation still has to be checked against the actual standard. The work shifts from writing to verification, and verification takes just as long.

~17hwith AI + expert verification

3hwith this template

19tables included

4source PDFs read

$30.00

One-time purchase · Instant download

✓Fully editable Word .docx. customize for your organization
✓12 numbered sections plus supporting sections across 28 pages. Treatment register, control implementation guidance, and monitoring KPIs included
✓Aligned to 4 frameworks: NIST AI RMF, EU AI Act, ISO 42001, ISO 27001
✓All four treatment options (avoid, reduce, transfer, accept) with detailed control guidance per option
✓Every citation verified against the published standard. Not AI-generated.
✓Updated Q1 2026. Includes treatment decision authority quick reference

.docx NIST AI RMF EU AI Act ISO 42001 ISO 27001 ✦ Q1 2026 v2

Overview

What this template does

1 / 10

Click image or thumbnail to browse · 10 of 28 pages shown

Every organization with an AI risk register needs a structured plan for how each identified risk will be treated. Without a treatment plan, risk assessments become documentation exercises that never translate to actual risk reduction, and auditors will flag the gap between identification and action.

This template provides the complete bridge from risk assessment to risk reduction. It covers all four treatment options (avoid, reduce, transfer, accept) with specific control selection methodology for each, implementation timelines, effectiveness monitoring KPIs, and a treatment decision authority matrix that defines who can approve which treatment decisions based on risk severity.

The Professional Edition includes sections that most treatment templates omit: a structured treatment register for tracking all active treatment plans, individual control implementation sections for each treatment option (not just “mitigate”), Statement of Applicability synchronization guidance, and a four-framework crosswalk mapping every section to NIST AI RMF MANAGE function, EU AI Act Art. 9, ISO 42001 Cl. 6.1.3, and ISO 27001 risk treatment controls.

What’s Inside

15 Sections · 28 Pages · Audit-Aligned Structure

Establishes the mandate for systematic AI risk treatment across the organization. Links to ISO 42001 Cl. 6.1.3 risk treatment requirements and NIST MANAGE function.

ISO 42001 Cl. 6.1.3NIST MANAGE 1.1

Systems, processes, and risk categories subject to treatment planning.

ISO 42001 Cl. 4.3EU AI Act Art. 2

Measurable treatment objectives including treatment completion rates, residual risk targets, and control effectiveness metrics.

ISO 42001 Cl. 6.2

The governance model linking treatment decisions to the risk register, risk assessment, and appetite statement. Defines when and how treatment planning is triggered.

ISO 42001 A.5.5NIST MANAGE 1.1

Full coverage of all four treatment options: avoid (eliminate the risk source), reduce (implement controls), transfer (insurance or outsourcing), accept (formal acceptance with conditions). Decision criteria for each option.

ISO 42001 Cl. 6.1.3NIST MANAGE 2.1

Five-step process from risk identification input through management approval. Covers option selection, control identification, residual risk evaluation, and sign-off requirements.

ISO 42001 A.5.5NIST MANAGE 1.1

Matrix defining who can approve treatment decisions based on risk level and treatment type. Escalation paths from team lead through CRO for critical risks.

ISO 42001 A.3.2NIST GOVERN 1.7

Structured register for tracking all treatment plans with fields for risk ID, treatment option, controls selected, owner, timeline, status, and residual risk score.

ISO 42001 Cl. 9.1NIST MANAGE 4.1

Controls and monitoring for risks being formally accepted. Includes acceptance conditions, compensating controls, and ongoing monitoring requirements.

ISO 42001 A.5.5

Technical and operational controls for risk reduction. Covers control selection methodology, implementation timeline, and effectiveness validation.

ISO 42001 A.5.5ISO 27001 A.8

Insurance, outsourcing, and contractual risk transfer mechanisms. Covers due diligence, contract requirements, and residual liability.

ISO 42001 A.10.3

Procedures for eliminating risk sources including system decommission, scope reduction, and alternative approaches.

NIST MANAGE 2.1

KPIs for measuring control effectiveness, review triggers for reassessment, and reporting cadence for treatment status.

NIST MEASURE 3.1ISO 42001 Cl. 9.1

How treatment decisions feed into the SoA, including what to document and synchronization requirements.

ISO 42001 Cl. 6.1.3ISO 27001 A.5.1

Four-framework mapping showing how each section aligns to NIST AI RMF, EU AI Act, ISO 42001, and ISO 27001 controls. Use during audits to demonstrate multi-standard compliance coverage.

Multi-FrameworkCrosswalk

16-term glossary with precise definitions for risk treatment, residual risk, risk appetite, treatment plan, control effectiveness, and key risk treatment terms. Aligned to ISO 42001 and NIST AI RMF terminology.

16 TermsISO 42001 Definitions

Pre-built version control table tracking document revisions, approval dates, change descriptions, and responsible parties. Ready to customize for your organization’s revision history.

ISO 42001 Cl. 7.5Document Control

Signature and approval tracking table for treatment plan sign-off. Includes fields for approver name, title, department, signature, and date.

Audit EvidenceSign-Off

Step-by-step deployment instructions for getting the treatment plan operational within your organization. Includes a customization checklist, priority sections to complete first, and a rendered table of contents for quick navigation across all 28 pages.

Deployment GuideTOC

One-page quick reference summarizing treatment decision authority levels, escalation paths, and approval requirements by risk severity. Designed for printing and posting alongside your risk register workflow.

Quick ReferenceAppendix

Audience

Who deploys this template

📈

Chief Risk Officer

Uses the treatment plan to govern risk reduction across the AI portfolio. Approves high-severity treatment decisions and monitors aggregate treatment effectiveness through KPIs.

🛡️

CISO

Integrates AI-specific treatment controls with existing ISMS processes. Maps mitigate controls to ISO 27001 security controls and monitors implementation across technical teams.

⚖️

Compliance Officer

Documents treatment decisions as audit evidence for ISO 42001 Cl. 6.1.3. Uses the SoA relationship section to maintain synchronized compliance documentation.

📋

AI Risk Manager

Operationalizes treatment plans from risk identification through control implementation. Manages the treatment register, tracks implementation progress, and measures residual risk reduction.

Framework Alignment

How this template maps to standards

NIST

NIST AI RMF 1.0

Maps to MANAGE function for risk treatment decisions (MANAGE 1.1), risk monitoring (MANAGE 4.1), and MEASURE for effectiveness validation (MEASURE 3.1).

MANAGE 1.1MANAGE 2.1MANAGE 4.1MEASURE 3.1

EU AI Act 2024

Art. 9 risk management treatment requirements, Art. 14 human oversight in treatment decisions.

Art. 9Art. 14

42001

ISO/IEC 42001:2023

Fulfills Cl. 6.1.3 risk treatment planning, A.5.5 treatment controls, and Cl. 9.1 monitoring. Primary audit evidence for AIMS treatment documentation.

Cl. 6.1.3A.5.5Cl. 9.1

ISO

ISO/IEC 27001:2022

Integrates with ISMS risk treatment methodology. Maps AI treatment controls to A.5.1 policies, A.8 asset controls.

A.5.1A.8.1Risk Treatment

Value Proposition

Build from scratch vs. use this template

✓ With This Template

✓12 sections, 28 pages with treatment register, four treatment options with implementation guidance.

✓All four framework controls mapped. NIST AI RMF, EU AI Act, ISO 42001, ISO 27001.

✓SoA synchronization section. Links treatment decisions to your Statement of Applicability.

✓Treatment decision authority matrix with escalation paths by risk severity.

✓Every citation verified against the published standard. Not AI-generated.

✓Ready in 3–5 hours instead of starting from a blank document.

✗ From Scratch

✗18+ hours of work researching treatment approaches, drafting controls, and mapping frameworks.

✗Four treatment options require different governance approaches. Accept vs. avoid have fundamentally different processes.

✗Control implementation guidance requires SME knowledge of each treatment type.

✗SoA relationship is frequently missed. Auditors flag the disconnect between treatment plans and the Statement of Applicability.

✗AI-generated plans use generic controls that don’t reflect the four distinct treatment option workflows.

✗4-framework crosswalk is complex. Requires deep knowledge of each standard’s treatment requirements.

Already have a treatment plan? Use the crosswalk table to identify gaps in your current version against ISO 42001 Cl. 6.1.3, EU AI Act Art. 9, and NIST MANAGE requirements.

“Why is this only $30?”

I’ve been building governance documentation since 2012. That year I helped my healthcare analytics company earn its first HITRUST certification. Since then I’ve created and managed compliance documentation for SOC 2, PCI DSS, HITRUST, and ISO 27001 programs across enterprise organizations. I have a writing degree and I genuinely like this work.

HITRUST CSF SOC 2 PCI DSS ISO 27001 14 Years in GRC Writing Degree

Credentials don’t explain the price though. This does:

I want AI adopted responsibly. I don’t want my friends, my family, or my kids dealing with threats and risks that come from deploying AI without governance. Organizations will take the path that earns them the most money. That’s how business works. So I feel obligated to put quality documentation out at a price where governance isn’t something only Fortune 500 companies can afford. I don’t need to charge thousands of dollars to make a difference. I care about helping where I can.

You’re building something that matters. Documentation that earns trust from your board, your customers, and your team. And it has to be right.

The citations in these templates were checked against the published standards. The actual ISO 42001:2023 PDF, the EU AI Act regulation text, the NIST AI RMF 1.0 document. Control IDs, article numbers, crosswalk mappings. This is practitioner-built documentation from someone who’s sat in the audits, written the remediation plans, and knows what survives a compliance review.

Derrick Jackson // Founder, Tech Jacks Solutions

Related Templates

Often bought together

★ BUNDLE DEAL. SAVE 30%

Get the complete AI Risk Management Command Bundle

The AI Risk Management Command Bundle includes this Treatment Plan plus 11 more risk management documents and tools. $449 instead of $639 if purchased individually.

Important

This template is a starting point, not a finished product. It’s designed to accelerate your governance program by giving you a professionally structured foundation with verified framework citations. It doesn’t replace legal counsel, compliance review, or organizational judgment. Every organization is different. You’ll need to customize the content for your specific regulatory context, risk tolerance, and operational environment. We recommend routing your completed treatment plan through your legal, compliance, and governance teams before adoption. What you’re buying is a jumpstart that saves you weeks of research and drafting, not a guarantee of compliance. Framework citations reflect regulations as of Q1 2026. Regulatory frameworks evolve. Check for updates to the EU AI Act, ISO 42001, and NIST AI RMF before your annual policy review. Single organization license. All purchases include a 14-day money-back guarantee. If the template does not meet your needs, contact us for a full refund.

Policy mandate governing how identified AI risks are treated. Defines the four ISO 42001 Cl. 6.1.3 treatment options (avoid, mitigate, transfer, accept), authority tiers, and formal approval workflows. Companion to the AI Risk Register for operational tracking.