Filling SoA

Answer:

In case the justification to apply a control is a risk, you can only mention its identifier from the risk treatment table (not from the risk assessment table).

Second, if I understood correctly, if you have risks to treat for which there are no adequate controls from Annex A, you can include controls from other sources (this is acceptable by ISO 27001), like NIST publications.

This article will provide you further explanation about NIST controls:
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

Ok thank you. So i just need to make a reference to the risk on the Risk Treatment Table. I have incorporated the Risk Assessment and RIsk Treatment into one spreadheeet

Answer:

Your understanding about referencing risks on SoA is correct, but I'd like to comment that incorporating the Risk Assessment and Risk Treatment in a single spreadsheet is not a recommended approach. Although it may simplify documentation, it also creates a bigger document that is more difficult to read and work with, besides the fact that it leaves open information about risk treatment to personnel that only is required for risk assessment. For example, most people can participate in the risk assessment process, but definition of risk treatments and controls may be restricted only to personnel who will work on the implementation of such treatment. You should evaluate this situation to verify if using a single spreadsheet will not raise significant risk.