What should be the priority when selecting controls for an ISO 27001 project?

Selecting controls for an ISO 27001 project should prioritize business impact and security because the overarching goal of implementing an Information Security Management System (ISMS) is to protect the organization's information assets while ensuring that business objectives are met.

When evaluating controls, understanding the specific risks to the organization's information and determining how those risks can impact business continuity, reputation, and financial stability is crucial. Controls must be tailored not just to meet compliance requirements or be cost-effective but to effectively mitigate risks that threaten the core activities of the organization.

By focusing on business impact and security, you ensure that the controls implemented will not just comply with regulatory standards but will also add value by enhancing the organization's resilience against potential security threats, thus supporting the organization's strategic goals.