Thank you for your generosity . There are 4 questions after I finished "ISO 27001 Risk Management in Plain English" and I will appreciate if you respond them:
1- Should we bring any possible risk and treatment? what about some risks we do not consider (and consequently no treatment for them)? for example if we do not bring cloud security , (but it is really a risk in our company) , will auditor make it as misconformity or since we have not brought it in our consideration , he will not consider it as misconformity?
2- should we include some assets which have money value but may not cause loss in confidentiality, integrity, and/or availability, e.g a laptop without valuable data?
3- There are some risks that have already been treated via some controls (existing controls). Should we bring them in our document but mention that they have already been treated, or we only bring risks that have not been treated?
4- will the Statement of Applicability be revised after the DO phase? (during CHECK phase)?