ISO 27001 certification

a) Is it necessary for me to artificially amend the risk evaluation to achieve the 10% Unacceptable risks?

First of all, sorry for this confusion.

This message is intended for companies that are implementing ISO 27001 for the first time. Since you already have implemented controls that reduce risks to an acceptable level, you do not need to include additional risks if you do not need to.

However, security risks are evolving very quickly, so it is likely that you do have some unacceptable risks that you did not record previously. It is recommended that you try to identify these new risks.

b) Will the certification auditor not pass the certification audit if there is no risk treatment actions?

Please note that risk treatment actions are needed only in case you have relevant risks to treat or want to make changes in existing controls (e.g., to update technologies or include improvements).

Since it is likely that your company is facing some new risks, the certification auditor will want to see if you managed to identify them. If you can convince the auditor that there are certainly no new risks, then you will pass the surveillance audit.

 c) What is your recommendation?

In your situation, recommendations are:

• Regarding risk assessment, take this opportunity to review your risk assessment, because after the last assessment new risks may have risen that may require treatment
• Regarding risk treatment actions, in case you do not have relevant risks to treat, try to look for improvement opportunities in implemented controls and document them as risk treatment actions. This will show the auditor a greater level of maturity of your ISMS.

For further information, see:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment