1. Regarding risks that come from outside of the scope, should we consider these risks in the Risk Assessment and apply controls to mitigate them, or we need to include the source of them in the scope, for example: there are some laptops that can access and (download or view) some sensitive data from what are in the scope, so should we need to include these laptops in the scope or just aplly some controls to mitigate risks come from them?
2. What is the difference between the exsiting controls and planned controls? do we need to have both in the risk register?
3. Should we write already mitigated risks in the risk assessment phase, for example: a security feature in a system is enabled so no risk right now, but if someone disables this feature, then it may lead to a potential risk, so do we need to write down these risks in the risk assessment phase?
4. How we can design a criteria for the impact if our scope is in cloud?