Risk assessment and risk treatment

Answer: Yes. Now that you have identified which risks are to be treated, you have to define with the risk owners the deadlines and required resources, and get the complete risk treatment plan approved by top management.

2- Should everything be done before we got certified? For example, if we want to get certified during summer 2018, should all deadlines in Risk treatment plan be set before that?

Answer: No. You can leave some of the controls for the implementation for after the certification under the following conditions:

1) That you have implemented before the certification the controls that mitigate the biggest risks – in other words, you can leave only less important controls for after the certification.
2) That you have specified th e deadlines for the controls that you will be implementing after the certification in your Risk Treatment Plan – of course, those deadlines must be after the certification date.
3) That your risk owners or top management accept all the risks for which controls have not been implemented before the certification.

This means that the most important controls must have ”implemented“ status at the certification, while the less important controls can have status ”planned“ or ”partially implemented" at the moment of the certification. Of course that for controls with status of ”partially implemented" you have to keep evidences of activities already performed regarding the implementation (the certification auditor won't audit the control, but he will verify if the implementation plan is being executed).

Included in the toolkit you bought you have access to video tutorials that can help you with the risk assessment and treatment process.