ISO 27001 Risk Assessment

1. What would you say counts as existing control and how "secure" does it need to be to lower the risk level? (documented, implemented as a process, etc.?)

“Existing controls” refers to controls that are currently implemented (i.e., documented, implemented as a process, as a technology, etc.), so it is not about “how secure does it need to be”, but “how secure it is” at the moment of the assessment.

For example, for a data loss risk, you can mention that you already have a backup solution implemented (e.g., a software solution).

2. If the already existing controls lower the risk level, which we suppose it does according to your video lessons, then the risk level might be so low that the risk doesn't need to be included in the risk treatment. And if it doesn't need to be included in the risk treatment, then we don't need to implement a control from Annex A to cover this risk? 

Have we understood this correctly? It seems a bit wrong to exclude Annex A controls that actually should be applicable.

If you already have a control implemented, identified during risk assessment, you need to identify this information in the SoA, reporting the associated control as implemented.

Considering the previous example, you need to report in the SoA that control A.12.3.1 Information Backup is applicable and its status is implemented.

For further information, see:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/