1. What is the expected risk level of the residual risk? Assume acceptance is below 3, should a residual risk level be more than 3 having implemented all controls
2. Clause 6.1.1 requires actions to address opportunities.
a. What are opportunities - in relation to ISMS
b. What are the actions to address opportunities
3. What determines likelihood of occurrence in risk assessment ? Is it the frequency for occurrence of an activity/process?