Risk assessment and treatment process

Is the sequence in the last steps (SoA vs risk treatment plan) interchangeable or is there a correct way?

Answer: The ISO 27001 risk treatment consists of these requirements (exactly in this order):
- Selection of applicable risk treatment options
- Determination of necessary controls to implement the chosen options
- Comparison of determined controls against SO 27001 Annex A
- Elaboration of the Statement of Applicability
- Formulation of the Risk Treatment Plan
- Approval of the Risk Treatment Plan and residual risks

The standard follow this order because, besides the results of risk assessment, the risk treatment plan must also consider applicable legal requirements and top management decisions when defining actions, resources and deadlines to implement a control, and these information is found in the SoA justification for controls inclusions.

These articles will provide you further explanation about risk treatment and SoA:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

This material will also help you regarding risk treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/