My company was certified on ISO 27001 in 2019 and re-certified in Oct 2022. I am now implementing Conformio to help me in the on-going maintenance of the ISMS for future audits. I have just completed setting up the risk register and risk evaluation. Based on the controls that we have put in place over the years, all the risks are at acceptable level. Our company business have been around for 30 years and we have a stable operating environment. Conformio shows a Warning message that there should be at least 10% Unacceptable Risk items to complete the Risk Register Step and to pass the certification.
a) Is it necessary for me to artificially amend the risk evaluation to achieve the 10% Unacceptable risks?
b) Will the certification auditor not pass the certification audit if there is no risk treatment actions?
c) What is your recommendation?