I have questions about risk management, I was wondering if you could help me with these.
Does ISO 27001 require a risk treatment plan as a one single plan or is it, applicable make risk treatment plans per risk and approvals per risk? And if it is applicable what elements per treated risks must be present (responsibility, timetable, etc.?) The question rises up, because of a risk software which allows make a risk assessment and treatment and plan treatment per risk bases, there is no means to collect all risks in a one single plan (in which has treatment descriptions).
Does ISO 27001 require documented comparison procedure of the controls (determined in 6.1.3 b) with those in Annex A? The question rises up, because before mentioned software has no means to make up control comparison in composed way e.g. a control table which to use for comparison (like Advisera Risk Treatment table template has).