While risk assessment is the core competence of information security, it is the information security policy and the agreed scope of the ISMS that provide the organisational context within which that risk assessment takes place. The first step in the planning phase for the establishment of an ISMS is the definition of the information security policy. A risk assessment can only be carried out once an information security policy exists to provide context and direction for the risk assessment activity.

Information security policy

This requirement is set out in Clause 5.2 of ISO 2700131 (and control A.5.1 in Annex A of ISO 27001). It is not always, however, as straightforward as it seems. It may ...

Get Information Security Risk Management for ISO 27001/ISO 27002, third edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.