Organizational Context ISMS Framework

iFour ConsultancyISMS Framework: Clause 4 - Context of the organization

Organizational Context - ISMS requirements
The organizational context for implementing and achieving the intended
outcome of its ISMS includes:
Organizational Background
Context of the Operations
Purpose
 ISO 27001:2013 has classified the organizational context into:
Clause 4.1: Understanding the organization and its context.
Clause 4.2: Understanding the needs and expectations of interested parties.
Clause 4.3: Determining the scope of ISMS.
Clause 4.4: Information Security Management System.
Offshore software development company Indiahttp://www.ifourtechnolab.com

Clause 4.1 Understanding the organization & its context
 Organization should determine the internal and external issues pertaining to the
implementation of ISMS.
 Internal issues can be described in terms of:
 Internal & External issues can be identified by:
SWOT analysis
 Image reference: https://www.fullestop.com/blog/analyze-website-swot-analysis/
 Organizational structure  Processes
 Policies  Internal practices
 People (i.e. Resources)  Products
 Objectives  Capabilities

External issues can be described in terms of:
External issues can be determined by:
PESTLE analysis
Clause 4.1 (Continued)
 Market competitors  Differentiators of products
 Trends  Environmental aspects
 Clients  Legal & Regulatory commitments
 Relationship (with
supplier/vendor/client)
 External stakeholders
Political
Economic
Social
Technological
Legal
Environmental

The context also refers to Clause 5.3 of ISO 31000:2009 standard for
establishing internal and external context of the organization.
Clause 5.3 of ISO 31000:2009 explains the establishment of your unique risk
management context. The subsections are:
Clause 5.3.1: Establish your risk management parameters.
Clause 5.3.2: Establish your organization's external context.
Clause 5.3.3: Establish your organization’s internal context.
Clause 5.3.4: Establish the context of your risk management process.
Clause 5.3.5: Establish your organization’s risk criteria.

Clause 4.2 Needs and expectations of interested parties
The organization shall determine:
Interested parties relevant to ISMS.
Requirements of these Interested parties relevant to ISMS.
Interested parties are the stakeholders that influence ISMS operations or they
are the ones who are affected by ISMS activities.
Interested parties can be any from the following:
The requirements of these interested parties includes legal and regulatory
requirements and obligations as mentioned in the contract.
 Clients  Suppliers/Vendors
 Govt. agencies/Regulators  Partners
 Employees  Shareholders/Owners

Examples of requirements by some of the entities mentioned ahead:
Shareholders of your company want their investment to be secure and they want to
earn a good return on their investment.
 Image reference: http://www.consilue.com/
Clients want your company to comply with the security clauses in the contracts your
company signs with them.
 Image reference: http://imgforu.com/login/123?q=39
Govt. agencies want your company to comply with Information Security laws and
regulations.
 Image reference: http://blog.snobmonkey.com/2015/04/14/why-universities-need-to-get-social/

The organization shall determine the boundaries and applicability of the
areas of information security system to establish its scope
The scope is determined keeping in mind these factors:
The internal and the external issues referred to in Clause 4.1
The requirements of interested parties referred to in Clause 4.2
The interfaces and dependencies between activities performed by the organization, and
those that are performed by other organizations
 The boundary is the term that considers the organization processes in relevance to
information security.
 Image reference: http://www.huntinggpsmaps.com/hunt-map-update-overview
Clause 4.3 Determining the scope of ISMS

An organization should identify the functions that are provided by the
organization itself and also the functions that are provided by external parties
which affect the CIA of information within the scope of ISMS.
Example:
A social networking company relies on its internet service provider. If a failure occurs in
providing internet to the social networking site of the company by the internet provider,
then availability of the information is compromised. Hence the internet service should
be considered while determining the scope of ISMS.
 ISO states that the scope of ISMS should be available as documented information

•Maintain the
ISMS i.e. Monitor
and Review ISMS
•Continually
Improve the ISMS
•Implement and
operate the ISMS
•Establish the ISMS
Plan Do
CheckAct
Clause 4.4 Information Security Management System

References
https://wings2i.wordpress.com/2014/10/09/what-is-context-of-the-
organization-for-iso-270012013/
http://www.aisgcorp.com/how-to-comply-with-clause-4-1-and-4-2-of-isoiec-
270012013/
http://www.slideshare.net/ULDQSInc/iso-27001-transition-to-2013-
03202014
http://advisera.com/27001academy/knowledgebase/explanation-iso-
270012013-clause-4-1-understanding-organization/
http://advisera.com/27001academy/knowledgebase/how-to-identify-
interested-parties-according-to-iso-27001-and-iso-22301/

Organizational Context ISMS Framework

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Organizational Context ISMS Framework

Similaire à Organizational Context ISMS Framework (20)

Dernier

Dernier (20)

Organizational Context ISMS Framework

Notes de l'éditeur