You can leave some of the activities of the Risk Treatment Plan to be completed after the certification audit under the following conditions:
- That you have implemented before the certification the controls that mitigate the biggest risks - in other words, you can leave for conclusion after the certification audit only activities related to less important controls.
- That you have specified the deadlines for the activities related to the controls that you will be implementing after the certification in your Risk Treatment Plan - of course, those deadlines must be after the certification date.
- That your risk owners or top management accept all the risks for which controls have not been implemented before the certification.
This means that activities related to the most important controls must have "implemented" status at the certification, while the less important controls can have the status "planned" or "partially implemented" at the moment of the certification.
This article will provide you with further explanation: