CHAPTER 6: INFORMATION SECURITY POLICY AND SCOPING36
While risk assessment is the core competence of information security, it is the information security policy and the agreed scope of the ISMS that provide the organisational context within which that risk assessment takes place. The first step in the planning phase for the establishment of an ISMS is the definition of the information security policy. A risk assessment can only be carried out once an information security policy exists to provide context and direction for the risk assessment activity.
Information security policy
This requirement is set out in clause 4.2.1 of ISO2700137 (and control A.5.1, in Annex A to ISO27001). It is not always, however, as straightforward as it seems. It may ...