Guest
Why write policies before the risk assessment
I am still not sure why/how we could 'set the Policies' (2nd step, the 1st being the 'scope') first before performing a formal risk assessment. Would you be able to clarify it for me please?
Assign topic to the user
You need to define the scope before your risk assessment, because you need to know for which areas/departments of your company you need to perform the risk assessment.
Regarding policies, you will write only the top-level Information security policy before the risk assessment, all the other policies you need to write after the risk assessment.
See also this article: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Comment as guest or Sign in
Jan 12, 2016
Jan 12, 2016
Jan 12, 2016