Sign in

Outline the Context Issues of the Organization According to ISO 27001 ISMS Standard.

Larra Smith
Outline the Context Issues of the Organization According to ISO 27001 ISMS Standard.

The organizational context covers both external and internal challenges of the Information Security Management System (ISMS). Aside from being a requirement of the standard (clause 4.1), being aware of the organizational context can provide an organization with a clearer view of the most relevant issues (either positive or negative) for information security, allowing it to properly define the ISMS purpose, devise strategies, and allocate resources where they will yield better results. For further information, read Should Information Security Prioritize Asset Protection, compliance, or corporate governance? and By ISO 27001, integrating information security with a company's strategic objective. According to risk management, two categories of concerns should be considered:

  • Internal issues: Factors that are directly controlled by the organization
  • External issues: Parameters over which an organization has little control but which it can predict and adjust to.

So, here are the examples of internal issues:

  1. Organizational structure. Understanding the organization's roles, responsibilities, and hierarchy will aid in determining where to position the ISMS.
  2. Organizational drivers. The values, goals, and vision of the organization, as reflected in its internal culture, ISMS policies, objectives, and strategies, can assist in defining its information security policies, objectives, and strategies. It is vital to highlight that employees and other people working in the organization have a significant impact on these elements. Their perceptions and opinions should also be taken into account.
  3. The way the organization does things. Understanding how processes work (both isolated and interconnected), how information flows, and how choices are made can make integrating information security procedures and controls with business operations and management activities easier.
  4. Available resources. Knowing what equipment, technologies, systems, cash, time, staff, and knowledge you already have in your company may help you lead acquisitions and the establishment of not only solutions but also the competencies required to keep information secure.
  5. Contractual relationships. Knowing the relationships between suppliers and customers can enable an organization to add controls required to effectively manage the requirements of customers and suppliers in the scope of its ISMS.

The identification of internal concerns will assist you in meeting the requirements of the standard, such as aligning the ISMS with business strategy (article 5.1.a) and determining roles and duties (paragraph 5.3), resources (section 7.1), and capabilities (clause 7.2).

External issues include the following:

  1. Market and customer trends. The increased popularity of cloud services is a good example of a trend that should be taken into account while developing an ISMS.
  2. Perceptions and values of external interested parties. Contracts aren't the only way to interact with other parties. They have their own cultures, as well as the beliefs of those who deal with them.
  3. Applicable laws and regulations. A notable example is the work done by organizations to comply with the EU GDPR, which went into effect in May 2018.
  4. Political and economic conditions. voting, during which public policy tendencies may shift, as well as changes in local currency exchange rates, should be closely followed.
  5. Technological trends and innovations. Breakthrough technologies or discoveries may render security procedures obsolete or create new avenues for data protection.

By the way, external issues will also help you to comply with clause 4.2 Understanding the needs and expectations of interested parties. Risk management just provides examples to be considered. If you want to make a structured analysis, for internal issues you may use the 7S Framework – which includes the assessment of Strategy, Structure, Systems, Shared Values, Skills, Style, and Staff.

Larra Smith
Zupyak is the world’s largest content marketing community, with over 400 000 members and 3 million articles. Explore and get your content discovered.
Read more