Risk management

1 - Do we have to identify the controls for all high and medium risks?

Answer: You have to identify controls only for risks considered unacceptable, according to your risk acceptance criteria, and for which you decided a risk mitigation as treatment option. To set the acceptable level of risk you must consider the organizational context and the business objectives (generally, the more aggressive the business objectives, and the more dynamic the organizational context, lower would be the risk acceptance criteria).

2 - Can we just identify the controls only for high risks and implement them?

Answer: It is possible to identify and implement controls only for high risks.

3 - For medium risks can say we will gradually identify the controls and implement it later?

Answer: It is possible to gradually implement controls for medium risks. Considering certification processes, you only have to ensure that controls for unacceptable risks are implemented by the certification audit, and that actions for the implementation of other controls are up to date considering the implementation plan.

These articles will provide you further explanation about risk treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

This material will also help you regarding risk treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/