We were discussing which should be done first and someone commented:
Many times, we find that the Control Objectives and controls become
prominent before an ISMS is properly established. Where can a SOA stand
if the assets are not identified and risk is not assessed and approved
by the ISMS Management.
As I’ve said, I think this is a fallacious argument.
If you buy a house or a car there are locks already installed.
They are installed regardless of any specific threats or any knowledge of the assets contained. Many (new) houses come equipped with additional security features such as alarm systems, steel-cased doors
and frames and such like. These are BASELINE features that are implemented without any identification of assets or any formal Risk Analysis or approval process.
Please note: I am not saying that a house owner might not institute additional controls such as an insurance policy that identifies specific assets or a guard dog that is taught the boundaries (aka ‘scope’) it has to protect.