Risk assessment and treatment report

I have a clarification question regarding the risk assessment and treatment report. When is this report created in the process of the ISO 27001 project? Before or after implementation of the necessary controls?

The risk assessment and treatment report must be created before the implementation of the necessary controls, just after completion of risk assessment and risk treatment.

In the draft document it states that «The risk treatment was done from XX to XX.» (Risikobehandlung wurde im Zeitraum von [Tag/Monat/Jahr] bis [Tag/Monat/Jahr] durchgeführt.) Does this include that the controls are in place, or does this mean that the treatment plan etc. was created, but the controls do not have to be in place when writing the report?

This period “from XX to XX” refers to the period by which all treatment options for unacceptable risks were defined. It is not related to the implementation of controls.

Also, it says in the draft document (Heading 3.5) that «after implementation of the controls the residual risks are re-evaluated» (nach der Anwendung der Maßnahmen wurden die Restrisiken bewertet). This implies that the report is done after the controls have been implemented as the process (on which is reported) would include the residual risk evaluation after the implementation of the controls.

Please note that residual risks must be estimated after treatment option is decided, without Implementing any control, so decision makers can simulate different approaches to handle all risks.

After the controls are implemented, during the risk review, you will assess (re-evaluate) the realistic value of impact and likelihood, and this is something you need to record in the Risk assessment table – this has nothing to do with the initial Risk assessment report.