The basics
ISO 27001 sub-clause 4.1 is called “Understanding the organization and its context” — it requires organizations to determine all internal and external issues that may be relevant to its business purposes and to the achievement of the objectives of the ISMS itself.
These activities help determine the requirements of interested parties, ISMS scope, risks, etc.
Documentation
ISO 27001 clause 4.1 Understanding the organization and its context does not require writing any document.
The following documents are not mandatory; companies can decide whether to write them:
- List of internal issues
- List of external issues
Implementation
To comply with clause 4.1 Understanding the organization and its context, companies need to do the following:
- Identify internal issues (this is an input)
- Identify external issues (this is an input)
- As an output, understanding the organizational context means a clear understanding of what the needs and expectations of the ISMS are, and what are the abilities of a company to build such an ISMS.
Audit evidence
During the certification audit, the auditor will check the following regarding the clause 4.1 Understanding the organization and its context:
- If the company has identified internal issues that are relevant to the context.
- If the company has identified external issues that are relevant to the context.
Since documenting the context is not mandatory, the auditor might check if internal and external issues are identified by interviewing the relevant people in the company.
