When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
An expert blog by Ken Holmes CISSP, CIPP/E; CertiKit’s managing director and principal consultant. Ken is a qualified ISO/IEC 27001 Lead Auditor, an active member of ISACA and a BSI-published author on IT service management. Ken is the lead author of the CertiKit ISO 27001 toolkit.
In this blog article, we’re going to talk about section 4 of the ISO27001 standard which is context of the organization. This section has four sub-sections covering the organization and its context, interested parties, scope of the ISMS and the ISMS itself.
The first of these requires the organization to identify relevant external and internal issues which let’s face it, is pretty vague, so let me try to shed some light on this for you. This is really asking “what’s going on within and outside of your organization that could have an impact on what you’re trying to do in terms of information security?”.
Because ISO standards are designed to apply to organizations of all types and sizes, in all industries in all countries, this is where it asks you to get more specific about this particular implementation.
For example, the internal and external issues that could affect a small insurance company in the UK are likely to be very different to those that could affect a large biochemical company in Mexico which again are different to those of a medium-sized government department in Japan.
So internal factors such as what the organization does, how many people it has, what the culture is, how long it has been established, its structure etc. will be relevant to the objectives it sets, the risks it identifies, its risk appetite and what it has to lose. Similarly, external factors such as the political situation, the economy, degree of security and environmental issues like wildfires or earthquakes will guide the way in which the ISMS is put in place.
The second sub-section is about understanding the needs and expectations of interested parties. The first step in meeting this requirement is to define who the interested parties of the ISMS could be. Another term that is often used here is “stakeholder” and this perhaps gives more of a clue as to what we’re talking about. Who has a stake in the success of the ISMS and in a wider context the organization as a whole. Who is affected by what the organization does or doesn’t do? If there’s a data breach, who will feel the impact of this?
The CertiKit toolkit document Information Security Context Requirements and Scope gives an initial list of who might be included as your interested parties, but there may be more or less depending on your circumstances.
Once identified, it’s a case of thinking about what the nature of their interest is. How would they define “success” in information security terms? A high share price? Continued employment? Not having their personal data spread across the Internet?
Having done some thinking about what the internal and external issues are and how the interested parties could be affected, this may help in deciding what the most appropriate scope is for the ISMS, and that’s what the next sub-section covers. Defining the scope is an important step so it’s worth taking some time early on to think this through.
Lastly, the fourth sub-section basically says that you will put an ISMS in place which to be honest seems a little redundant but there it is.
So that’s a brief run-through of Clause 4 of the ISO27001 standard – Context of the organization. An often-overlooked section, but when you think about it, fundamental to getting your ISMS right.
CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.
For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.