Please, could you answer my questions? I have sent them to the chat but you didn't answer them during the webinar.
When we implemented ISO 27001 2 years ago (small company, 10 people), our first risk assessment table has had many unacceptable risks so we created various treatments (controls, safeguards, documents polices...) to regulate these risks. Taking treatment controls into account, the new assessment showed just 1 risk that remains as residual risks, other risks have lower (acceptable) value.
Now, we have modified our methodology and revised our risks in new table (new version of document). I have 2 questions:
1. When we revise a risk management table on annual basis (new document), I'm not sure if we assess risks (consequence and likelihood) with all implemented controls/safeguards on our mind or without them? If we take already implemented controls into account when assessing risks, almost all risks are acceptable (few residual remains), there is no need for additional treatment at this moment.
2. Hypothetical: if all risks are acceptable according to our methodology, is it ok not to have a Risk treatment plan?