In the ISMS Assistant you treat each prioritised risk by opening Risk Treatment, choosing one of the four options, then enabling and assigning the matching Annex A controls on the Risk Controls page. From those decisions Cenedril generates the Statement of Applicability (SoA) at the end of the chapter, recording for each of the 93 controls whether it is applicable or excluded. The SoA is one of the mandatory audit documents and is then available as a record in Documentation.
Walk through the treatment options
Open Risk Treatment
In the ISMS Assistant open the Risk Treatment chapter. The entry page shows the four treatment options: Avoidance, Retention, Modification (Controls) and Sharing. The assistant guides you through all four across the following pages.
Decide avoidance and retention
On the Risk Avoidance page you mark the scenarios whose underlying activity will be given up. On Risk Retention you record which risks already sit at an acceptable level and will be knowingly carried. These scenarios are then excluded from the controls page.
Enable and assign controls
Open Risk Controls
Switch to the Risk Controls page. It shows the 93 Annex A controls grouped into the four themes Organizational, People, Physical and Technological. Four stats cards at the top summarise the state: enabled controls, recommended among them, and the most and least covered scenario.
Work through the recommended controls first
Turn on the Show recommended only filter to see the controls Cenedril derives from your scenarios first. Recommended controls carry an amber Recommended badge. Use the search box and the theme and CIA filters (C, I, A) to narrow the list further.
Expand and enable a control
Click a control to expand it. You see the short summary, the associated threats and the execution criteria. Toggle the switch on the right to enable the control. On enabling, Cenedril pre-assigns the recommended scenarios.
Pick execution criteria and assign risks
Under the description blocks, tick the execution criteria you commit to. The depth follows the risk level of the covered scenarios. Then, under Assign to risks, mark every scenario the control covers. Make sure every enabled control carries at least one assigned risk.
Justify exclusions and save
For controls you do not enable, pick a category in the Exclusion reason field (such as Not applicable, Resource constraints or Compensating control exists) and add a note where useful. Save your work with Save as Draft or finish the page with Save & Continue.
Review the Statement of Applicability
Open the Statement of Applicability
At the end of the chapter the Statement of Applicability (SoA) page opens. It is read-only and generated automatically from your control decisions. Two counters at the top show how many controls are Applicable and how many are Not Applicable.
Check the table and the exclusions
The table shows, per control, the columns Annex A, Name, Status, Assigned Risks, Excluded Criteria and Exclusion Reason. Use the All, Applicable and Not Applicable filters to confirm that every applicable control has an assigned risk and every excluded one carries a reason. Clicking the control icon opens the detail view.
The SoA itself is stored as a record under Documentation, where it can be versioned and formally approved. Without an approved SoA, the risk treatment counts as incomplete from an audit perspective.
Result: every prioritised risk carries a treatment decision, the applicable controls are enabled and assigned to their scenarios, and the Statement of Applicability lists all 93 controls in full with status and reason. The next chapter turns these decisions into security objectives and an implementation plan.