An expert blog by Ken Holmes CISSP, CIPP/E; CertiKit’s managing director and principal consultant. Ken is a qualified ISO/IEC 27001 Lead Auditor, an active member of ISACA and a BSI-published author on IT service management. Ken is the lead author of the CertiKit ISO 27001 toolkit.
In this blog article, we’re going to talk about section 4 of the ISO27001 standard which is context of the organization. This section has four sub-sections covering the organization and its context, interested parties, scope of the ISMS and the ISMS itself.
The first of these requires the organization to identify relevant external and internal issues which let’s face it, is pretty vague, so let me try to shed some light on this for you. This is really asking “what’s going on within and outside of your organization that could have an impact on what you’re trying to do in terms of information security?”.
Because ISO standards are designed to apply to organizations of all types and sizes, in all industries in all countries, this is where it asks you to get more specific about this particular implementation.
For example, the internal and external issues that could affect a small insurance company in the UK are likely to be very different to those that could affect a large biochemical company in Mexico which again are different to those of a medium-sized government department in Japan.
So internal factors such as what the organization does, how many people it has, what the culture is, how long it has been established, its structure etc. will be relevant to the objectives it sets, the risks it identifies, its risk appetite and what it has to lose. Similarly, external factors such as the political situation, the economy, degree of security and environmental issues like wildfires or earthquakes will guide the way in which the ISMS is put in place.
The second sub-section is about understanding the needs and expectations of interested parties. The first step in meeting this requirement is to define who the interested parties of the ISMS could be. Another term that is often used here is “stakeholder” and this perhaps gives more of a clue as to what we’re talking about. Who has a stake in the success of the ISMS and in a wider context the organization as a whole. Who is affected by what the organization does or doesn’t do? If there’s a data breach, who will feel the impact of this?
The CertiKit toolkit document Information Security Context Requirements and Scope gives an initial list of who might be included as your interested parties, but there may be more or less depending on your circumstances.
Once identified, it’s a case of thinking about what the nature of their interest is. How would they define “success” in information security terms? A high share price? Continued employment? Not having their personal data spread across the Internet?
Having done some thinking about what the internal and external issues are and how the interested parties could be affected, this may help in deciding what the most appropriate scope is for the ISMS, and that’s what the next sub-section covers. Defining the scope is an important step so it’s worth taking some time early on to think this through.
Lastly, the fourth sub-section basically says that you will put an ISMS in place which to be honest seems a little redundant but there it is.
So that’s a brief run-through of Clause 4 of the ISO27001 standard – Context of the organization. An often-overlooked section, but when you think about it, fundamental to getting your ISMS right. If you’re looking for more information about implementing an ISMS, our free 50 page downloadable guide below may be useful.
Download our free ISO27001: 10 steps to certification guide to learn: