Risk Assessment and Treatment

Answer: First of all, not all identified risks must be treated, only those considered unacceptable according your established criteria and security levels.

Considering this, a company can implement certain controls after the certification if: (1) all the major risks are resolved before the certification, (2) in the Risk Treatment Plan it is clearly defined that those controls will be implemented at a later date, and (3) the risk owners have accepted the risks related to controls that will be implemented later.

2 - Also, do you do ISO certification inspections?

Answer: Unfortunately, we do not provide certification services because this would be a conflict of interest. We provide you help with the implementation of a standard with our documentation toolkits, online courses, books and other online tools. This article will help you: How to choose a certificat ion body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

This article will provide you further explanation about Risk Assessment and Treatment:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

These materials will also help you regarding Risk Assessment and Treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/