Show me desktop version
CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)

Author: Dejan Kosutic

Clause 4.1 is a completely new requirement in the 2013 revision of ISO 27001, and it has caused quite some confusion because it is rather vague. (By the way, there is very similar confusion with ISO 22301, so this article is also applicable to clause 4.1 of ISO 22301.)

So, let’s see what this clause is and what it’s not about.

The requirements of ISO 27001 clause 4.1 and suggestions of ISO 31000

ISO 27001 says very briefly that you need to identify all of the internal and external issues that could influence your information security management system (ISMS). It also refers to clause 5.3 of ISO 31000 for detailed explanation.

ISO 31000 is a standard that provides guidelines for risk management, and this is what it suggests could be included when identifying internal and external issues (by the way, the same items are listed in ISO 27004:2014):

  • In short, for internal context you could consider organizational structure, roles and responsibilities, business strategy and objectives, capabilities and resources, organizational culture, information systems and processes, contractual relationships, etc.
  • For external context, the most important are interested parties and their requirements; but you can also consider political, economic, cultural, technological and competitive environment as well as the trends that could have an impact on your company.

Please note that ISO 31000 gives guidelines only; therefore, they are not mandatory.

How to identify internal and external issues

For internal issues, this is what you must do:

  • Make sure your information security objectives are aligned with the business strategy (ISO 27001 clause 5.1 a).
  • Perform the risk assessment, including the identification of information systems and contractual relationships (clauses 6.1.2 and 8.2).
  • Determine the resources (clause 7.1).
  • Determine information security roles and responsibilities (clause 5.3).
  • Determine capabilities (clause 7.2).

So, the point is, you do not need to create extra steps for identifying internal issues on top of what you have to do because of the mentioned clauses in ISO 27001 – this basically means that by implementing those clauses you will identify all the internal issues along the way.

However, if you do want to create an extra step, you could perform the analysis according to the so-called 7S Framework – it includes the assessment of: Strategy, Structure, Systems, Shared Values, Skills, Style, and Staff. You’ll find more information here: The McKinsey 7S Framework.

For external issues, the first thing is to comply with clause 4.2 of ISO 27001 (Understanding the needs and expectations of interested parties) – this article explains how: How to identify interested parties according to ISO 27001 and ISO 22301.

You could also perform the so-called PEST analysis, which identifies Political, Economic, Social, and Technological issues in your company environment. You’ll find more information here…

How to document those issues

For internal issues, you must document your information security objectives and results of the risk assessment, and maintain records of competence of your employees. (See here List of mandatory documents required by ISO 27001 (2013 revision).)

Because of control A.18.1.1, it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements; this list can help you with information security laws and regulations.

It is not mandatory to document your PEST analysis or 7S Framework analysis, but larger companies would normally create such documents when reviewing their business strategy; smaller companies usually do not have them, but I’m sure most of the business owners/CEOs consider all these issues when they are figuring out how to compete in the market. So, if you work for a larger company, simply ask your corporate office to provide you with these documents; in smaller companies, make sure you talk to your CEO.

Although clause 4.1 does cause a lot of confusion, I actually like it – it forces information security professionals to look beyond mere infosec questions, so in reality this clause helps bring business and information security closer together.

Learn more about identifying internal and external issues in this free ISO 27001 Foundations Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera


Upcoming free webinar
ISO 27001: An overview of the ISMS implementation process
Wednesday - June 20, 2018



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.