Filling out the Treatment Table

Not all solutions to the threats are in Annex A. If a choice from Annex A is made it still not clear what is actually being done.

Answer:

The selections presented on each column are not definitive, so you can add additional inputs if you consider this is needed for your organization. This tutorial can guide you on editing the drop down lists: https://support.office.com/en-us/article/add-or-remove-items-from-a-drop-down-list-0b26d3d1-3c4d-41f5-adb4-0addb82e8d2c

But it is important to mention that "Scan all documents to be stored on secure NAS, Destroy all physical documents" is an example of implementation of controls A.8.2.3 Handling of assets, so in principle there is no need to add your example as mean of implementation.

This article can provide you further information about handling information: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

This answers the first part of my question. The second part maybe wasn't comprhensive enough.

When completing the Risk Treatment Table. You have to think about how you are going to treat a particular risk. Next you have to choose a related control from ISO 27001 Annex A. This choice however does not clarify the specific action that you are going to take in the form of adapting one of the toolbox documents or maybe writing a specific work instruction (like scan and destroy all phisical documents).

When I have to think about a solution to a threat I want to be able to describe this solution and not to have to come back to that specific threat in de treatment table to think about the problem for a second time. The Treatment Table only allows me to choose related Annex A items but does not allow me to describe a specific action in more detail.

First of all thanks for the clarification about your doubt.

In fact for the purpose you described, the Risk Treatment Plan is not the proper document. As you said, it describes the general solution for risk. For recording more detailed information you can use the Statement of Applicability template. In this template you have a column called "Implementation method ", where you can describe the solution for a control (covering all risks and legal requirements related to that control), or make reference to documents (e.g., policy, procedure, or work instruction) describing the adopted solution.

This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/