Updated: November 14, 2022, according to the ISO 27001:2022 revision.
ISO 27001 clause 4.1, which requires the identification of the organizational context, may cause some confusion, because it is rather vague. What must you consider for information security to help achieve business objectives?
To cover this topic, ISO 27001, the leading ISO standard for information security management, requires the definition of the organizational context, referring to ISO 31000, the leading ISO standard for risk management, for detailed guidance.
This article will present some examples of what should be considered for internal and external issues according to ISO 31000. By the way, this article is also applicable to clause 4.1 of ISO 22301.
- Market and customers trends
- Perceptions and values of external interested parties
- Applicable laws and regulations
- Political and economic conditions
- Technological trends and innovations
The importance of understanding the organizational context for ISO 27001
The organizational context includes external and internal issues relevant to the Information Security Management System (ISMS). Besides being a requirement of the standard (clause 4.1), being aware of the organizational context can give an organization a clearer view of the most relevant issues (either positive or negative) for information security, allowing it to properly define the ISMS purpose, devise strategies, and allocate its resources where they will bring better results. For more information, see: Should information security focus on asset protection, compliance, or corporate governance? and Aligning information security with the strategic direction of a company according to ISO 27001.
Examples of internal and external issues to be considered
According to ISO 31000 clause 5.3.1, two types of issues should be considered:
- Internal issues: factors under the direct control of the organization
- External issues: factors an organization has no control over, but that it can anticipate and adapt to
Examples of internal issues are:
- Organizational structure. Knowing the roles, accountabilities, and hierarchy in the organization will help define where to position the ISMS. For more information, see: Where does information security fit into a company? and Roles and responsibilities of top management in ISO 27001 and ISO 22301.
- Organizational drivers. The organization’s values, mission, and vision, expressed in its internal culture, policies, objectives, and strategies, can help define its information security policies, objectives, and strategies. It is important to note that these factors are greatly affected by employees and other people working in the organization. Their perceptions and opinions should also be considered.
- The way the organization does things. Knowing how processes work (both isolated and interconnected), how information flows, and how decisions are made will make it easier to integrate information security processes and controls with business operations and management activities.
- Available resources. Knowing what equipment, technologies, systems, capital, time, personnel, and knowledge you already have in your organization can help you guide your acquisitions, as well as the development not only of solutions, but also the competencies required to keep information secure. For more information, see How to demonstrate resource provision in ISO 27001 and How can ISO 27001 and ISO 22301 help with critical infrastructure protection?
- Contractual relationships. Understanding the relationships with suppliers and customers can allow an organization to include, in the scope of its ISMS, controls needed to better manage the customers and suppliers’ requirements. For more information, see: Which security clauses to use for supplier agreements? and How to perform an ISO 27001 second-party audit of an outsourced supplier.
The identification of internal issues will help you comply with the standard’s requirements, such as the alignment of the ISMS with business strategies (clause 5.1.a) and determination of roles and responsibilities (clause 5.3), resources (clause 7.1), and capabilities (clause 7.2).
Here are some examples of external issues:
- Market and customers trends. The increase in the adoption of cloud services is a good example of a trend that should be considered for an ISMS.
- Perceptions and values of external interested parties. Relationships with external parties are not limited to contracts. They have their own cultures that should be considered, as well as the beliefs of the people who work with them.
- Applicable laws and regulations. A good example is all of the work performed by organizations to comply with the EU GDPR, which came into force in May 2018.
- Political and economic conditions. Elections, when public policy trends may change, and changes in local currency exchange rates, should be monitored.
- Technological trends and innovations. Breakthrough technologies or innovations may render security controls useless or provide new ways to protect information.
By the way, external issues will also help you to comply with clause 4.2 Understanding the needs and expectations of interested parties. For more information, see: Who are interested parties, and how can you identify them according to ISO 27001 and ISO 22301?
ISO 31000 just provides examples to be considered. If you want to make a structured analysis, for internal issues you may use the 7S Framework – which includes the assessment of: Strategy, Structure, Systems, Shared Values, Skills, Style, and Staff.
For a structured analysis of external issues, you may try the PEST analysis, which identifies Political, Economic, Social, and Technological issues in your company’s environment.
How to document those issues
ISO 27001 does not require companies to document context of the organization through a separate document – only certain elements of internal and external issues need to be documented.
For internal issues, you must document the relevant ones as part of your information security objectives and results of the risk assessment, and maintain records of the competence of your employees. (See here a List of mandatory documents according to the ISO 27001 2022 revision.)
For external issues, because of control A.5.31, it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements; this list can help you with information security laws and regulations.
It is not mandatory to document your PEST analysis or 7S Framework analysis, but larger companies would normally create such documents when reviewing their business strategy; smaller companies usually do not have them, but I’m sure most of the business owners/CEOs consider all these issues when they are figuring out how to compete in the market. So, if you work for a larger company, simply ask your corporate office to provide you with these documents; in smaller companies, make sure you talk to your CEO.
Know your context to provide effective protection
By understanding the organizational context well, you can implement a robust ISMS that will cover the needs and expectations of the organization, customers, and other interested parties, and ensure that it will handle the most relevant risks, minimizing the occurrence and impact of incidents and increasing the use of opportunities.
ISO 31000 provides some guidance on which issues should be considered, and by applying this to the implementation of ISO 27001, an organization can implement an ISMS that not only will comply with the standard, but that will also add value to the business.
To learn how to implement ISO 27001 through a step-by-step wizard and get all the necessary policies and procedures, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.