Thank you for your recent reply – this was very helpful.
I’m back with another question:
As I understand it, the risk assessment is used to identify which assets/threads calls for the implementation of controls due to a high risk score. This is helpful in order to know which controls you’ll have to implement. My questions goes as this:
“Can” I document and implement, lets say i.e. an “Acceptable use of assets” policy (Annex A control A.8.1.3) even though nothing in my risk analysis points to the need of this? Or should all controls/policies be implemented based on what is found to have a risk score on 3+ in my risk analysis?
I hope this makes sense. If not, please feel free to ask clarifying questions.