If you could help me with this question about documenting Risk re-evaluation processes Risk Treatment with ISO certified SOA already in place:
Is it mandatory to document the mapping process in other words choose the Annex A controls to the relevant risks in the 05.2_Appendix_2_Risk_Treatment_Table, from the drop down menu
is it enough that applicable controls are determined [necessary to implement, 6.1.3.b)] and compared [with Annex, A 6.1.3. c)] only in the SOA?
I’m conducting risk re-evaluation and if any new controls are applicable, I believe I’m able to spot them and write them straight to SOA without mapping all the controls beforehand in RT Table.
In the situation where you review the risks (i.e., the ISMS is already fully implemented), you need to go through your Risk assessment table and Risk treatment table and conclude if there are any new risks and/or new controls that need to be addressed - if yes, you need to update these documents, and also reflect this change in the Statement of Applicability. If there are no new risks, you need to document this fact, the best way to do this is to inform the top management at the next management review so that this is recorded in the Management review minutes.