Annex A controls to be applied while mitigating GDPR related risks

In general, there are no "GDPR-related risks", there are only risks related to confidentiality, integrity and availabilty of personal data.

To answer your questions:

1) Can you advise which of the Annex A controls are to be applied while we try to mitigate GDPR related risks?

Answer: Article 32 (Security of processing) of GDPR requires the following safeguards to be implemented:

• Risk management - ISO 27001 clause 6.1
• Encryption - ISO 27001 section A.10
• Ability to restore the availability - ISO 27001 section A.17
• Access control - ISO 27001 section A.9
• Regular testing, assessing and evaluating the effectiveness - ISO 27001 clause 9.2 (Internal audit)

Further, GDPR Articles 28, 32, 33, 34, 39 and 82 require the following:

• Relationship with suppliers / processors - ISO 27001 section A.15
• Handling incidents / data breaches - ISO 27001 section A.16
• Training and awareness - ISO 27001 clauses 7.3 and 7.4; control A.7.2.2
• Ensuring confidentiality, integrity and availability - this is basically the whole ISO 27001 standard

You can find more information in this free webinar: How to integrate GDPR with ISO 27001 https://advisera.com/eugdpracademy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

2) Also, do we have any other Annex for GDPR related risks controls?

Answer: ISO 27001 does not have some other Annex that would cover privacy nor GDPR, however ISO 27701 standard covers privacy management in more details - here's some info: Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/