Expert Advice Community

Home / ISO 27001 & 22301 / Why write policies before the risk assessment

Guest

Why write policies before the risk assessment

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Why write policies before the risk assessment

ISO 27001 & 22301
I am still not sure why/how we could 'set the Policies' (2nd step, the 1st being the 'scope') first before performing a formal risk assessment. Would you be able to clarify it for me please?
0 0

Assign topic to the user

ISO 27001 RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY

Define main rules for risk assessment and treatment.

ISO 27001 RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY

Define main rules for risk assessment and treatment.
Guest
DejanK Jan 12, 2016

You need to define the scope before your risk assessment, because you need to know for which areas/departments of your company you need to perform the risk assessment.

Regarding policies, you will write only the top-level Information security policy before the risk assessment, all the other policies you need to write after the risk assessment.

See also this article: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics
Guest user Created:   Nov 21, 2017 ISO 27001 & 22301
Replies: 1
0 0

ISMS and QMS
Guest user Created:   Jun 24, 2016 ISO 27001 & 22301
Replies: 1
0 0

Which policies to implement before the certification
Lajvar Created:   Apr 29, 2024 ISO 27001 & 22301
Replies: 0
0 0

Risk treatment plan