1. What is the best methodology for an information security risk assessment?
2. How to ensure if privacy principles are dealt with in accordance with relevant legislation and regulations? If the client says that he is performing an assessment to ensure he is in line with the DPA, is this information enough to make him compliant with clause 18.1.4?