Risk management process

1 - Does a company usually has to realize all of the 114 controls (I know you can choose other controls beside the 114 controls of the iso 27001)? Is the main idea behind annex a that these controls should be implemented (if you can’t exclude them)? You said beside the risk treatment table we should check things like legal and contractual requirements when we try to fill out the SoA. I just would like to get a feeling if companies usually have to implement a high percentege of annex a (on average of all companies and industry sectors). If this is the main idea of this annex a. I know that it's different from company to company and that it depends from industry sector to industry sector.)

Answer: Normally companies implement only part of the controls of Annex A (specially in case of small and mid-sized companies), as result of risk assessment, or identification of legal requirements. The main purpose of Annex A is not to be fully implemented, but to ensure relevant aspects of information security are not forgotten during the risk assessment (sometimes, only by looking at a control, someone can identify a relevant risk related to it).

2 - I just don’t know how to handle annex a after being done with the risk assessment table and almost with the risk treatment table. If our company can’t explain why this control didn’t touch our company (cause we accept the specific risk for example) we should implement it? If you start reading annex a it says: annex a must be used in the context of 6.1.3 (risk treatment).

An example: some of our employees got a laptop and a smartphone from the company to work with. In our risk assessment the risk level for these assets are under 3 and 4 and right now these assets are falling in the category „accepted risk“. With this identification and in this specific example we are able to ignore (for example) the control A.6.2.1.

Another example: our human resources security doesn’t have to be added in the risk treatment plan either. This means, if there should be no other legal or contractual regulations, we can ignore A.7.2.3 in this specific example? I know their might be a few more assets where this control have to be used. Let’s assume we consider just this asset and the others are out of contemplation.

Answer: If after risk assessment you do not identify unacceptable risks, or legal requirements , to justify implementing some controls you do not need to implement them, as simple as that. Your examples are good ones.