Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO27001 Guide: Context of the organization

An expert blog by Ken Holmes CISSP, CIPP/E; CertiKit’s managing director and principal consultant. Ken is a qualified ISO/IEC 27001 Lead Auditor, an active member of ISACA and a BSI-published author on IT service management. Ken is the lead author of the CertiKit ISO 27001 toolkit.

In this blog article, we’re going to talk about section 4 of the ISO27001 standard which is context of the organization. This section has four sub-sections covering the organization and its context, interested parties, scope of the ISMS and the ISMS itself.

cartoon image of desktop screen

External and Internal Issues

The first of these requires the organization to identify relevant external and internal issues which let’s face it, is pretty vague, so let me try to shed some light on this for you. This is really asking “what’s going on within and outside of your organization that could have an impact on what you’re trying to do in terms of information security?”.

Because ISO standards are designed to apply to organizations of all types and sizes, in all industries in all countries, this is where it asks you to get more specific about this particular implementation.

For example, the internal and external issues that could affect a small insurance company in the UK are likely to be very different to those that could affect a large biochemical company in Mexico which again are different to those of a medium-sized government department in Japan.

So internal factors such as what the organization does, how many people it has, what the culture is, how long it has been established, its structure etc. will be relevant to the objectives it sets, the risks it identifies, its risk appetite and what it has to lose. Similarly, external factors such as the political situation, the economy, degree of security and environmental issues like wildfires or earthquakes will guide the way in which the ISMS is put in place.

Interested Parties

The second sub-section is about understanding the needs and expectations of interested parties. The first step in meeting this requirement is to define who the interested parties of the ISMS could be. Another term that is often used here is “stakeholder” and this perhaps gives more of a clue as to what we’re talking about. Who has a stake in the success of the ISMS and in a wider context the organization as a whole. Who is affected by what the organization does or doesn’t do? If there’s a data breach, who will feel the impact of this?

The CertiKit toolkit document Information Security Context Requirements and Scope gives an initial list of who might be included as your interested parties, but there may be more or less depending on your circumstances.

Once identified, it’s a case of thinking about what the nature of their interest is. How would they define “success” in information security terms? A high share price? Continued employment? Not having their personal data spread across the Internet?

Defining the Scope of the ISMS

Having done some thinking about what the internal and external issues are and how the interested parties could be affected, this may help in deciding what the most appropriate scope is for the ISMS, and that’s what the next sub-section covers. Defining the scope is an important step so it’s worth taking some time early on to think this through.

And Finally…

Lastly, the fourth sub-section basically says that you will put an ISMS in place which to be honest seems a little redundant but there it is.

So that’s a brief run-through of Clause 4 of the ISO27001 standard – Context of the organization. An often-overlooked section, but when you think about it, fundamental to getting your ISMS right. If you’re looking for more information about implementing an ISMS, our free 50 page downloadable guide below may be useful.

Download your free 10 step guide

Download our free ISO27001: 10 steps to certification guide to learn:

  1. Each step of the process from project planning to the certification audit
  2. Expert tips from the CertiKit team on best practise for easy implementation
  3. Key insights into building a successful ISMS

Free Guide - ISO27001: 10 Steps to Certification

  • Privacy Policy


    When you request to download our free ISO27001: 10 steps to certification guide, we use your name, company name (which is optional), phone number, country and your email address to email you a link to download the requested document. We may also email or call you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

We’ve helped more than 4000 businesses with their compliance


I like the fact that the documents are very comprehensive and more than sufficient for compliance.

South Africa

View all Testimonials