We are trying to implement an ISMS to ISO 27001 standards in my new organization.
In trying to prepare a Statement on Applicability, I discovered that virtually all the controls were based on business requirements, best practices, contractual obligations and legal requirements. They were not based on the result of risk assessments.
Can the organization still go ahead with the implementation process, or we will need to reassess the risks on a risk assessment basis?
It is highly unlikely that an organization does not have risks to justify the implementation of controls, so you should review your risk assessment criteria and results to be sure of these results.
Items like acceptance criteria level, and which persons participate in the assessment should be checked to see if the criteria are compatible with your organizational context and if people with knowledge of business activities were involved in the process.
Additionally, most commonly people assessing the risks are assigning too low a level for Impact.
Thanks for your response to my question but it doesn't provide the answer I am looking for.
We have reference to related risks on the Statement of Applicability but the issue for me is that the policies were mainly formulated as a result of business requirements, best practices, contractual obligations and legal requirements, and not as a result of risk assessment.
I want to know if the SOA will meet up with ISO 27001 standards with the justification for formulating the policies.
ISO 27001 only requires that results of risk assessment are taken into account when defining risk treatment and SoA, not that the majority of controls must have risks as justification for applicability (this is not a common situation, so you should be prepared for some questioning from the auditor).
Provided that in the SoA you refer to the most relevant identified risks it can be accepted for certification purposes.