Hi,
Sorry if this is under the wrong topic, wasn't sure on the most suitable.
I am just working through some policies, risk assessments, procedures etc.
If i conduct a risk assessment, do i then need a corresponding policy?
For example, i have a pen risk assessment that i'm updating, do i then need a pen policy? Or could this just be answered under clause 4.9.6.2 instead of having a separate policy?
I currently have both however i'm not sure if it's overkill.
I hope this makes sense.