Performing risk assessment

Answer: The better approach is to perform the risk assessment before defining policies. This way you can ensure the policies will cover the relevant results of the risk assessment and avoid rework.

If the organization does not have implemented policies by the time you have to perform the risk assessment, you can rely on other sources of requirements such as laws or contracts the organization must comply with, incidents history, and common practices adop ted by the industry.

These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps ISO 27001 risk assessment & treatment – 6 basic steps
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

So, this will help us to know the culture of the organization in following the regulations, policies and etc. And it's helpful in preparing the organization context document, because there is a PESTLE analysis in this document and "S" stand for sociocultural factors. What is your idea? Is my conclusion correct?

Your conclusion is correct. By understanding which policies are already implemented and which risks are identified and considered relevant you can have a snapshot of the organization's culture, as well as some perception of the cultures of the other organizations which have business with it.