Thank you for your generosity . There are 4 questions after I finished "ISO 27001 Risk Management in Plain English" and I will appreciate if you respond them:
1- Should we bring any possible risk and treatment? what about some risks we do not consider (and consequently no treatment for them)? for example if we do not bring cloud security , (but it is really a risk in our company) , will auditor make it as misconformity or since we have not brought it in our consideration , he will not consider it as misconformity?
2- should we include some assets which have money value but may not cause loss in confidentiality, integrity, and/or availability, e.g a laptop without valuable data?
3- There are some risks that have already been treated via some controls (existing controls). Should we bring them in our document but mention that they have already been treated, or we only bring risks that have not been treated?
4- will the Statement of Applicability be revised after the DO phase? (during CHECK phase)?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1- Should we bring any possible risk and treatment? what about some risks we do not consider (and consequently no treatment for them)? for example if we do not bring cloud security, (but it is really a risk in our company) , will the auditor make it as misconformity or since we have not brought it in our consideration , he will not consider it as misconformity?
Answer: ISO 27001 does not require a "minimum" number of risks, only that relevant risks are identified and treated.
Considering that, the auditor will be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence to the process or asset would easily identify. To mitigate this risk you need to include in the risk assessment the personnel involved with the process or asset.
In your stated scenario, where cloud risks are relevant, an auditor will consider not assessing such risks as a nonconformity (please note that the word "nonconformity" is the term used on ISO scenarios, not misconformity).
These articles will provide you a further explanation about risk assessment and treatment:
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
- Risk assessment tips for smaller companies https://advisera.com/27001academy/blog/2010/02/22/risk-assessment-tips-for-smaller-companies/
2- should we include some assets which have money value but may not cause loss in confidentiality, integrity, and/or availability, e.g a laptop without valuable data?
Answer: Even in case a set of asset-threat-vulnerability rises no risk to the information that is part of the ISMS scope, you should maintain it in the Risk Assessment, for record purposes. First because this way you can keep track of already identified sets of assets-threats-vulnerabilites you thought were relevant, which in future assessments will save you time in risk identification (you will not need to work on the identification of these risks again), and since risk is a dynamic variable, in a future assessment these sets may indeed rise an risk that may require treatment (e.g. due to a technological change or new legislation).
These articles will provide you a further explanation about risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
3- There are some risks that have already been treated via some controls (existing controls). Should we bring them in our document but mention that they have already been treated, or we only bring risks that have not been treated?
Answer: You need to include all risks related to the ISMS scope, even those already treated. In such cases, you need to identify the implemented controls for those risks.
4- will the Statement of Applicability be revised after the DO phase? (during CHECK phase)?
Answer: The Statement of Applicability is a living document, and must be updated when a particular control is implemented (when the status is changed), and reviewed after every review of risk assessment and risk treatment (performed during CHECK phase).
This article will provide you a further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Sep 21, 2020