Yet another question. Since our company is in the early stages and consists of a small organization, we are able to easily change our ways of working. This means we can also prevent getting into situations where we have risks which are unacceptable.
As I understand it, if we're able to implement all relevant controls before entering any ISO27001 certification, then we should be able to completely ignore documents such as the ones regarding risk treatment. This would mean that status for all items in Statement of Applicability is either set to not applicable, or fully implemented. Can you confirm that we are able to ignore the documents related to risk treatment in this case? Also, is it common to do it like this?