First Step in Establishing Governance per ISO 27001:An Information Security Policy outlines the organization’s commitment to security, its objectives, and the framework for managing risks. This foundational step provides direction and purpose for the ISMS (Information Security Management System).
Why This Comes First:
Establishes the scope and objectives of the ISMS.
Aligns information security goals with business objectives.
Guides subsequent actions like risk assessments and resource allocation.
Why Other Options Are Incorrect:
A. Identify threats, risks, impacts, and vulnerabilities: Occurs after policy definition to align with its framework.
B. Decide how to manage risk: Requires a policy foundation.
C. Define the budget: Happens after defining scope and needs.
References:ISO 27001 mandates the creation of a high-level information security policy as the first step in an ISMS lifecycle.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit