Risk assessment is at the heart of the ISMS. Understanding its significance to the overall process is critical, and is one of the keys to project success. The board adopts an information security policy because there are a number of significant risks to the availability, confidentiality and integrity of the organization’s information. The board mandates the design and deployment of an ISMS in order to ensure that its policy is systematically and comprehensively implemented. The policy must, therefore, reflect the board’s assessment of information security risks. This doesn’t mean the board needs to carry out a detailed risk assessment itself, but it does need to set out a clear, overall approach to risk that can be used ...