Risk treatment implementation

Now we would like to get certified and we are communicating with the certifications companies for the audit and certification. My question is; since we have not yet implemented all the controls, is that a problem? or since we included the implementation in the treatment plan for a future date this is covered? ... In another meaning (if we decided that the Annex A controls should be implemented then is it a must to implement them before getting certified as ISO 27001?

Answer:

You can leave some of the controls for the implementation for after the certification under the following conditions:
1) That you have impleme nted before the certification the controls that mitigate the biggest risks – in other words, you can leave only less important controls for after the certification.
2) That you have specified the deadlines for the controls that you will be implementing after the certification in your Risk Treatment Plan – of course, those deadlines must be after the certification date.
3) That your risk owners or top management accept all the risks for which controls have not been implemented before the certification.

This means that the most important controls must have ”implemented“ status at the certification, while the less important controls can have status ”planned“ or ”partially implemented“ at the moment of the certification. Of course that for controls with status”partially implemented” you have to keep evidences of activities already performed regarding the implementation (the certification auditor won't audit the control, but he will verify if the implementation plan is being executed).