While risk assessment is the core competence of information security, it is the information security policy and the agreed scope of the ISMS that provide the organisational context within which that risk assessment takes place. The first step in the planning phase for the establishment of an ISMS is the definition of the information security policy. A risk assessment can only be carried out once an information security policy exists to provide context and direction for the risk assessment activity.

Information security policy

This requirement is set out in clause 4.2.1 of ISO2700137 (and control A.5.1, in Annex A to ISO27001). It is not always, however, as straightforward as it seems. It may ...

Get Information Security Risk Management for ISO27001/ISO27002 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.