CALL US 1-888-553-2256
CountryCountry

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

How to define context of the organization according to ISO 27001

Author: Rhand Leal

Since the release of the 2013 revision of ISO 27001, its clause 4.1 requiring the identification of the organizational context has been causing quite some confusion, because it is rather vague. What must you consider for information security to help achieve business objectives?

To cover this topic, ISO 27001, the leading ISO standard for information security management, requires the definition of the organizational context, referring to ISO 31000, the leading ISO standard for risk management, for detailed guidance.

This article will present some examples of what should be considered for internal and external issues according to ISO 31000. By the way, this article is also applicable to clause 4.1 of ISO 22301.

The importance of understanding the organizational context for ISO 27001

The organizational context includes external and internal issues relevant to the Information Security Management System (ISMS). Besides being a requirement of the standard (clause 4.1), being aware of the organizational context can give an organization a clearer view of the most relevant issues (either positive or negative) for information security, allowing it to properly define the ISMS purpose, devise strategies, and allocate its resources where they will bring better results. For more information, see: Should information security focus on asset protection, compliance, or corporate governance? and Aligning information security with the strategic direction of a company according to ISO 27001.

Examples of internal and external issues to be considered

According to ISO 31000 clause 5.3.1, two types of issues should be considered:

  • Internal issues: factors under the direct control of the organization
  • External issues: factors an organization has no control over, but that it can anticipate and adapt to

Examples of internal issues are:

  1. Organizational structure. Knowing the roles, accountabilities, and hierarchy in the organization will help define where to position the ISMS. For more information, see: Where does information security fit into a company? and Roles and responsibilities of top management in ISO 27001 and ISO 22301.
  2. Organizational drivers. The organization’s values, mission, and vision, expressed in its internal culture, policies, objectives, and strategies, can help define its information security policies, objectives, and strategies. It is important to note that these factors are greatly affected by employees and other people working in the organization. Their perceptions and opinions should also be considered.
  3. The way the organization does things. Knowing how processes work (both isolated and interconnected), how information flows, and how decisions are made will make it easier to integrate information security processes and controls with business operations and management activities.
  4. Available resources. Knowing what equipment, technologies, systems, capital, time, personnel, and knowledge you already have in your organization can help you guide your acquisitions, as well as the development not only of solutions, but also the competencies required to keep information secure. For more information, see How to demonstrate resource provision in ISO 27001 and How can ISO 27001 and ISO 22301 help with critical infrastructure protection?
  5. Contractual relationships. Understanding the relationships with suppliers and customers can allow an organization to include, in the scope of its ISMS, controls needed to better manage the customers and suppliers’ requirements. For more information, see: Which security clauses to use for supplier agreements? and How to perform an ISO 27001 second-party audit of an outsourced supplier.

The identification of internal issues will help you comply with the standard’s requirements, such as the alignment of the ISMS with business strategies (clause 5.1.a) and determination of roles and responsibilities (clause 5.3), resources (clause 7.1), and capabilities (clause 7.2).

Here are some examples of external issues:

  1. Market and customers trends. The increase in the adoption of cloud services is a good example of a trend that should be considered for an ISMS.
  2. Perceptions and values of external interested parties. Relationships with external parties are not limited to contracts. They have their own cultures that should be considered, as well as the beliefs of the people who work with them.
  3. Applicable laws and regulations. A good example is all of the work performed by organizations to comply with the EU GDPR, which came into force in May 2018.
  4. Political and economic conditions. Elections, when public policy trends may change, and changes in local currency exchange rates, should be monitored.
  5. Technological trends and innovations. Breakthrough technologies or innovations may render security controls useless or provide new ways to protect information.

By the way, external issues will also help you to comply with clause 4.2 Understanding the needs and expectations of interested parties. For more information, see: How to identify interested parties according to ISO 27001 and ISO 22301.

ISO 31000 just provides examples to be considered. If you want to make a structured analysis, for internal issues you may use the 7S Framework – which includes the assessment of: Strategy, Structure, Systems, Shared Values, Skills, Style, and Staff. You’ll find more information here: The McKinsey 7S Framework.

For a structured analysis of external issues, you may try the PEST analysis, which identifies Political, Economic, Social, and Technological issues in your company’s environment. You’ll find more information here…

How to document those issues

ISO 27001 does not require companies to document context of the organization through a separate document – only certain elements of internal and external issues need to be documented.

For internal issues, you must document the relevant ones as part of your information security objectives and results of the risk assessment, and maintain records of the competence of your employees. (See here a List of mandatory documents required by ISO 27001 (2013 revision).)

For external issues, because of control A.18.1.1, it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements; this list can help you with information security laws and regulations.

It is not mandatory to document your PEST analysis or 7S Framework analysis, but larger companies would normally create such documents when reviewing their business strategy; smaller companies usually do not have them, but I’m sure most of the business owners/CEOs consider all these issues when they are figuring out how to compete in the market. So, if you work for a larger company, simply ask your corporate office to provide you with these documents; in smaller companies, make sure you talk to your CEO.

Know your context to provide effective protection

By understanding the organizational context well, you can implement a robust ISMS that will cover the needs and expectations of the organization, customers, and other interested parties, and ensure that it will handle the most relevant risks, minimizing the occurrence and impact of incidents and increasing the use of opportunities.

ISO 31000 provides some guidance on which issues should be considered, and by applying this to the implementation of ISO 27001, an organization can implement an ISMS that not only will comply with the standard, but that will also add value to the business.

Learn more about how internal and external issues affect the ISMS scope in this free online training: ISO 27001 Foundations Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

Upcoming free webinar
The basics of risk assessment and treatment according to ISO 27001
Wednesday - November 21, 2018

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.