"Risk assessment is a crucial step in Information Security Management System (ISMS) implementation because it tells you the following: you should implement security controls (safeguards) only if there are risks (potential incidents) that would justify that particular control. In other words, the higher the risk, the more you need to invest in controls; but, on the other hand, if there are no risks that would justify a particular control, then implementing it would be a waste of time and money"
Answer: Controls from ISO 27001 Annex A must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
- There is a top management decision requiring the implementation of the control
If none of these occurs there is no need to implement a control considering ISO 27001 requirements.