SoA’s justification for the selection of control

1. If there is no risks from the risk treatment (thus nor risk treatment number for the control), should one use risks from the risk assessment (select risk numbers which have already treated by a control) for the justification for selection?

our assumption is correct. If you identified during the risk assessment that relevant risks are already in acceptable levels because the related control is already implemented, then you can use these risks as justification for the applicability of the control in the SoA.

For further information, see:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2. I have a hard time to figure out which are differences between secure areas (A.11.1.5) and securing offices, rooms and facilities?

Control A.11.1.5 refers to how to work on secure areas (e.g., do not use cameras inside, forbid unsupervised work, etc.), while control A.11.1.3 refers to physical controls implemented to improve the security of the environment (e.g., located away from public traffic, soundproof, etc.).

These articles will provide you a further explanation about physical security:

• Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/

These materials will also help you regarding ISO 27001 controls:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/