ISO27001 explicitly requires risk assessment to be carried out before any controls are selected and implemented. Our risk assessment template for ... to the company. For example, suppose the ...