I am a bit conflicted about this and need to hear what you think. I have asked Experta but I am stil not sure. Feels like there must be a clear answer to this. So my question is... can I (according to iso27001) choose to Not implement a security control from annex A even if I can see a risk with not implementing it? If we identify the risk but choose to accept the risk without any mitigating actions. In this case there won't be any risk treatment plans to connect to the Security control. The risk is accepted by the company and we choose Not Implemented and no plans to implement. The risk and security control will be re-evaluated yearly. Is this okay or what should we do with the security control if we only have one or several risks linked to it that are accepted without further actions?
The reason to Not Implement could be that the risk is very very low, very very unlikely and/or would cost more to implement than the consequence of the risk.