1. What happens if all controls (Existing and additional control(based on Annex A) are implemented? Does it mean we entirely remove the risk from the register - yet based on the activities there are chances of the risk taking place?
2. How often should an organization undertake risk assessment and risk treatment
3. When should one calculate the residual risk? Should it determine the risk assessment process of the subsequent year?
4. Is there any template that you can share for risk assessment and treatment, with criteria and like hood, etc.