We are a small IT co. currently at Risk Treatment stage. IT manager has now become engaged in more detail and suggesting that we accept all suggested controls automatically generated for each risk. Understandably, his thinking is that it is safer to be comprehensive and many controls will be selected in other risks anyway. I think that there is a danger here that explaining any given control applied to a risk might look like 'box ticking' if the control is not really applicable/relevant to the particular risk.
Example; one risk/threat pair 'Rules for mobile devices not defined/theft, vandalism, or sabotage' offers 32 controls.If we have to explain/justify each of these controls in SoA that seems a lot of work and some justifications may be thin? This is just 1 of 114 risks he has selected for application of controls, so we may be creating a huge mountain to climb?
Any advice/guidance on this appreciated.