This PPT focuses on the management clauses of ISO 27001:2013 standards. The management clause 4 of ISMS framework relates to 'Context of the organization'. - by Software development company in india
Reference:
http://www.ifour-consultancy.com
http://www.ifourtechnolab.com
2. Organizational Context - ISMS requirements
The organizational context for implementing and achieving the intended
outcome of its ISMS includes:
Organizational Background
Context of the Operations
Purpose
ISO 27001:2013 has classified the organizational context into:
Clause 4.1: Understanding the organization and its context.
Clause 4.2: Understanding the needs and expectations of interested parties.
Clause 4.3: Determining the scope of ISMS.
Clause 4.4: Information Security Management System.
Offshore software development company Indiahttp://www.ifourtechnolab.com
3. Clause 4.1 Understanding the organization & its context
Organization should determine the internal and external issues pertaining to the
implementation of ISMS.
Internal issues can be described in terms of:
Internal & External issues can be identified by:
SWOT analysis
Image reference: https://www.fullestop.com/blog/analyze-website-swot-analysis/
Organizational structure Processes
Policies Internal practices
People (i.e. Resources) Products
Objectives Capabilities
Offshore software development company Indiahttp://www.ifourtechnolab.com
4. External issues can be described in terms of:
External issues can be determined by:
PESTLE analysis
Clause 4.1 (Continued)
Market competitors Differentiators of products
Trends Environmental aspects
Clients Legal & Regulatory commitments
Relationship (with
supplier/vendor/client)
External stakeholders
Political
Economic
Social
Technological
Legal
Environmental
Offshore software development company Indiahttp://www.ifourtechnolab.com
5. The context also refers to Clause 5.3 of ISO 31000:2009 standard for
establishing internal and external context of the organization.
Clause 5.3 of ISO 31000:2009 explains the establishment of your unique risk
management context. The subsections are:
Clause 5.3.1: Establish your risk management parameters.
Clause 5.3.2: Establish your organization's external context.
Clause 5.3.3: Establish your organization’s internal context.
Clause 5.3.4: Establish the context of your risk management process.
Clause 5.3.5: Establish your organization’s risk criteria.
Clause 4.1 (Continued)
Offshore software development company Indiahttp://www.ifourtechnolab.com
6. Clause 4.2 Needs and expectations of interested parties
The organization shall determine:
Interested parties relevant to ISMS.
Requirements of these Interested parties relevant to ISMS.
Interested parties are the stakeholders that influence ISMS operations or they
are the ones who are affected by ISMS activities.
Interested parties can be any from the following:
The requirements of these interested parties includes legal and regulatory
requirements and obligations as mentioned in the contract.
Clients Suppliers/Vendors
Govt. agencies/Regulators Partners
Employees Shareholders/Owners
Offshore software development company Indiahttp://www.ifourtechnolab.com
7. Clause 4.2 (Continued)
Examples of requirements by some of the entities mentioned ahead:
Shareholders of your company want their investment to be secure and they want to
earn a good return on their investment.
Image reference: http://www.consilue.com/
Clients want your company to comply with the security clauses in the contracts your
company signs with them.
Image reference: http://imgforu.com/login/123?q=39
Govt. agencies want your company to comply with Information Security laws and
regulations.
Image reference: http://blog.snobmonkey.com/2015/04/14/why-universities-need-to-get-social/
Offshore software development company Indiahttp://www.ifourtechnolab.com
8. The organization shall determine the boundaries and applicability of the
areas of information security system to establish its scope
The scope is determined keeping in mind these factors:
The internal and the external issues referred to in Clause 4.1
The requirements of interested parties referred to in Clause 4.2
The interfaces and dependencies between activities performed by the organization, and
those that are performed by other organizations
The boundary is the term that considers the organization processes in relevance to
information security.
Image reference: http://www.huntinggpsmaps.com/hunt-map-update-overview
Clause 4.3 Determining the scope of ISMS
Offshore software development company Indiahttp://www.ifourtechnolab.com
9. Clause 4.3 (Continued)
An organization should identify the functions that are provided by the
organization itself and also the functions that are provided by external parties
which affect the CIA of information within the scope of ISMS.
Example:
A social networking company relies on its internet service provider. If a failure occurs in
providing internet to the social networking site of the company by the internet provider,
then availability of the information is compromised. Hence the internet service should
be considered while determining the scope of ISMS.
ISO states that the scope of ISMS should be available as documented information
Offshore software development company Indiahttp://www.ifourtechnolab.com
10. •Maintain the
ISMS i.e. Monitor
and Review ISMS
•Continually
Improve the ISMS
•Implement and
operate the ISMS
•Establish the ISMS
Plan Do
CheckAct
Clause 4.4 Information Security Management System
Offshore software development company Indiahttp://www.ifourtechnolab.com