1 - Dear Dejan, thanks for the comprehensive answers. One question I have though:
Do the risk treatments have to be directly linked to a security control?
Example: Asset desktop computer, Threat Intrusion, Vulnerability “Inadequate level of knowledge” links to security control ” 7 Training and awareness”?
At the moment we have linked to a policy which should be read by every employee how to handle it.
2 - to extend my question:
and shall we, in addition, add the “Statement of Applicability” to each control, for which assets they are applicable? But a consequence will be, that for instance “training and awareness” is applicable for all assets.