¶ The Treatments function in Diri
The treatments function in Diri is used to manage risk-reducing measures (security controls) directly within your risk assessments. Treatments represent actions or controls that modify risk by reducing probability, lowering consequences, avoiding the risk, transferring it, or accepting it.
Treatments can be added either directly in the treatments table, or from the Bowtie worksurface when adding a cause or consequence.
¶ Modules
Treatments are bound to and filtered using modules. The below picture illustrates a treatment list in Diri with module toggler in the top middle, set to “Show all”.
¶ Creating a new treatment
When creating a new treatment, you will be asked to provide key information such as:
Name and Description of the treatment
Status (Open, Recommended, Planned, Ongoing, Implemented, Not applicable)
Responsible user and Due date (responsible will receive notifications)
Costs (one-time and yearly cost, used for cost-benefit analysis and treatment plan budgeting)
Frameworks and Control references (to link the treatment to compliance frameworks like GDPR, NIS2, ISO, etc.)
Class (Identify, Protect, Detect, Respond & Recover)
Type (Physical, Technical, Administrative, Personnel)
Treatment effect (estimate of how strong the control is against the specific cause or consequence)
This information ensures each treatment is documented, assigned, and traceable in follow-up and reporting.
¶ Re-using treatments
Instead of creating new controls for every assessment, you can reuse existing treatments. For example, global controls like Single Sign-On or Firewalls can apply to multiple IT systems. When reusing a treatment, you can still set individual treatment effects for each cause or consequence it is linked to.
This prevents duplicate registrations and ensures consistency across assessments.
¶ Treatment status and risk picture
Treatments are central to how Diri calculates the risk picture:
Before treatments = risk without any measures
Current risk = risk with implemented treatments
Planned risk = risk with implemented, planned, and ongoing treatments
All treatments = risk picture if all suggested measures were implemented
¶ Summary
Treatments in Diri help you document, manage, and follow up risk-reducing measures in a structured way. They support accountability (who is responsible), compliance (linking to frameworks and controls), and efficiency (reuse of controls across assessments).