Information security risk treatment is a process to minimise the risk impact and find the best suitable treatment for the risks. The information security risk treatment process is determined in clause 6.1.3. All results from the risk treatment process are to be kept in a documented form by the organisation.