CHAPTER 5: BASELINE SECURITY CRITERIA
Step five is a straightforward one. It looks at the information security controls you already have in place, assesses them for adequacy, and incorporates them into your ISMS.
As I said earlier, most organizations will make a number of decisions about risks before even starting the ISO 27001 project (after all, they have been in business for a time, dealing with threats and vulnerabilities for real). They also will have implemented a number of controls in order to comply with statutory, regulatory, or contractual requirements. The organization must decide how it incorporates these existing controls into its ISMS and its risk assessment methodology.
The necessity is to implement controls appropriate for the ...