Once we handle Risk assessment and treatment plan, we will choose the controls necessary to reduce related risks. in SoA we have to go through 114 control and choose which of them are implemented or will be implemented or not applicable.
So we are repeating the same steps in both Risk assessment and SoA ... so why not only go through the 114 control and this will cover both steps (controls needed to reduce the risk and SOA process)
Appreciate your feedback
Please note that the risk assessment, risk treatment, and elaboration of the Statement of Applicability have very different steps, so you do not repeat the same activities. And you cannot go directly to the controls because the standard requires all defined steps for risk assessment and risk treatment to be performed.
In risk assessment you identify, analyses and evaluate risks. As output you have a prioritized list of risks, and which ones require treatment or not.
In risk treatment you define treatment options, applicable controls, elaborates the SoA and the risk treatment plan, approves the risk treatment plan and the accept the residual risks.
Statement of Applicability is different from risk treatment because there you need to take into account (besides the results of the risk assessment) also legal and regulatory requirements, as well as management decisions. On top of this, SoA keeps track of the implementation method and implementation status - these are not mentioned in the risk treatment.
In Conformio, the Statement of Applicability is created automatically based on the results of the Risk Register module. You only need to add some items up in case of need, like justifications based on legal and contractual requirements, or management decisions, or specific information about implementation methods.