Risk Treatment and SoA

Answer: No. Risk treatment must be performed only for the controls stated as applicable in the SoA, unless they are already fully implemented and do not require corrections or improvements (sometime you will have a situation where a control already exist but is not performing as expected or you want to take the chance to improve its performance or efficiency, and the needed actions should be included in the risk treatment).

This article will provide you further explanation about Risk Treatment and SoA:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will also help you regarding Risk Treatment and SoA:
- Book ISO 27001 Risk Management in Plain Engli sh https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/