Risk owners empowerment

Answer: After an introductory training, you should consider specific training covering controls according the risk owners responsibilities (e.g., controls from section A.7, HR security, for HR department, controls from A.12 controls, operations security, for IT department, etc.). This way in some cases you will reduce the number of controls to be detailed, focusing only on those that are relevant for them.

But you should also note that according the standard, the main responsibility of the risk owner is to approve the information security risk treatment plan and accept the residual information security risks, not directly choose controls. Sometimes, depending upon the size and maturity of the organization, the best course of action is to have someone with expert knowledge in information security that can help the risk owners to make better decisions regarding controls to be applied (some organizations call them CSOs, or CISOs).

This article will provide you further explanation about risk owners and CISO:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

2) Please clarify, if whole RISK MANAGEMENT in ISO 27001 is roughly bifurcated into PLANNING and IMPLEMENTATION phases then can we say that RISK ASSESSMENT, RISK TREATMENT, RISK ASSESSMENT REPORT, SOA and RESIDUAL RISK SHEET documents fall in PLANNING phase whereas RISK TREATMENT PLAN is for IMPLEMENTATION phase?

Answer: Your assumption is partially right. Although it is not explicit anymore, ISO 27001 still follows an PDCA cycle, and some elements play different roles in different phases. All these documents you listed are outputs of the planning phase, and the risk treatment plan is an input for the implementation phase. But you should also note that they are inputs for the Performance evaluation described in the clause 9 of the standard (they provide the targets you will use to compare if your results are OK or need adjustments), and outputs from the Improvement step described in clause 10 (management decisions can demand updates in all of them).

This article will provide you further explanation about PDCA and risk assessment process:
- Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/

These materials will also help you regarding risk owners and risk assessment process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/