Risk Assessment

Is it a common practice? Since according to the general understanding of ISMS development I assume that risk assessment should go first.

Answer:

Developing policies and procedures before risk assessment is performed is not a common practice and it is not recommended, because this increase the risks of rework. Even if it seems obvious that some policies are mandatory and you know what should be defined in those policies, if during the risk assessment you identify unacceptable risks you have not thought about earlier, you will have to work on the document again, perhaps needing to make big changes.

Another problem is that if you include in the policy something to treat a risk you think is unacceptable, but in reality the risk is acceptable if you follow the right order and perform risk assessment first, then you are making your policy unnecessary complex and wasting resources.

This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/