Risk treatment plan and SoA

Answer: Sure, in the video tutorials that came with your toolkit, there is one about how to write ISO 27001 statement of applicability that will provide you help on how to fill out all the data.

2 - Also please clarify: Only the risk with impact number above 2 gets carried forward to the next level? E.g if we start off from the Risk assessment table and we have a risk with impact 2 and another with impact 4, this means the risk with impact 2 stays on this sheet whereas the one with impact 4 is taken to the Risk treatment sheet. Well on Risk treatment sheet we ascertain control (s) for it and re ascertain the level after controls and if the impact now becomes 2 so we will conclude the effort here and also mention it on the SoA only. And if the level becomes 3 or remains 4 even we will take it further to SoA then mention it on Residual risk and plan for its treatment on Risk Treatment plan? Is that so

Answer: Considering that your limit value for acceptable risks is 2, all the risks which the calculation of impact and probability results are above 2 should be taken to the risk treatment plan, not only those with impact value above 2.

Said that, after you define the applicable controls and re ascertain the risk value, you should mention all the results obtained in the risk treatment plan in the SoA, even those that still remains above the value 2.

For the cases that are above your acceptable risk limit, justifications could be that you accept the risk as it is (the "accept" option is a valid one for risk treatment if you decide to apply no controls), or that the costs and effort to apply additional controls wouldn't be worth (in the case the applicable controls do not reduce the risk value to acceptable limits).

This article will provide you further explanation about risk treatment plan:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/