SoA - status of controls

If you go for the certification audit, you should have most of the controls stated in the SoA as applicable implemented, and make sure that controls that mitigate the biggest risks are fully implemented.

In other words, you can leave only a smaller number of less significant controls to be implemented after the certification, i.e., in status " planned". In such a case, you have to ask risk owners to accept the residual risks related to these controls before the certification, and the Risk Treatment Plan needs to have a defined deadline for such controls for after the certification.

This article will provide you a further explanation about certification:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

This material will also help you regarding certification:
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

Thanks a lot for your explanation! 

Could you please also clarify the following:

A lot of controls in SoA were already implemented before we started implementing ISO 27001. Because of that, the risks associated with the controls were acceptable. How should we then justify the selection of controls in SoA? Just showing the risks numbers from the Risk Assessment, even if the risk was acceptable?

Please note that the risks identified in the assessment as acceptable are acceptable just because of the already implemented controls.

Considering that, the justification for such controls is that they are required to treat risks identified in the risk assessment (in the assessment you need to ensure there is an observation that controls are already implemented to treat such risks).