The risk assessment is at the heart of the ISMS. To a very real extent, you could say that the controls adopted by the organization are the ISMS. While this, of course, is not strictly true, the reality is that the bulk of the project time will be invested in desiging, deploying, testing and revising appropriate controls that are intended to meet the identified risks. It is therefore important to have an overview of controls.

The concepts of risks and controls are linked and are fundamental to information security management systems. Risk is defined as ‘the combination of the probability of an event and its consequences’. Control is defined as the ‘means of managing risk, including policies, procedures, guidelines, ...