Risk assessment and SOA

When I look at the SOA, it lists all of the Appendix A controls. My question is if the identified number of category 3 and 4 risks is low, then logically there will be a high number of SOA controls that do not apply and I would need to say “NO” in the Applicability column in the SOA table.

Answer: Your assumption is partially correct. If you have a low number of risks considered unacceptable, and that will require the implementation of security controls to be treated, then there is a great chance that for most controls in the SoA you will state them as non applicable. But you should note that controls may be required because of legal requirements (e.g., a law or contract), or because Top management decid ed for their implementation (by considering them as "good practice").

By the way, included in the toolkit you bought you have access to a video tutorial that can help you understand and fill the risk assessment and risk treatment templates.

This article will provide you further explanation about risk assessment and risk treatment:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

This material will also help you regarding risk assessment and risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/