High Table Logo

The Ultimate ISO 27001 Toolkit

ISO 27001 Context of Organisation Ultimate Guide

Home / ISO 27001 Templates / ISO 27001 Context of Organisation Ultimate Guide
ISO27001 Context of Organisation

Introduction

In this ISO 27001 Context of Organisation Ultimate Guide I show you everything you need to know about the ISO 27001 Context of Organisation and exactly what you need to do to satisfy it to gain ISO 27001 certification.

You will learn

  • What is ISO 27001 Context of Organisation?
  • How to write an ISO 27001 Context of Organisation document
  • ISO 27001 Internal Issues, External Issues and Interested Parties with Examples

Table of contents

What is ISO 27001 Context Of Organisation?

The ISO 27001 Context of Organisation document is a simple document that is also light touch risk document.

It sets out what the risks are to your information security management system (ISMS), who the main interested parties are, what their requirements are and how the information security management system (ISMS) satisfies them.

ISO 27001 Context of Organisation frames risk to the information security management system (ISMS) as internal issues and external issues. What are the issues both internally and externally that can affect the effectiveness of the information security management system (ISMS) and its ability to meet its stated objectives.

The context of organisation looks at things that can influence the information security management system of an organisation in a structured way and records them. It allows you to tweak and bespoke the information security management system based on some key considerations. It looks at internal and external influences as well as key stakeholders and their requirements.

Relevant ISO 27001 Clause

ISO 27001 Context of Organisation is covered in ISO 27001:2022 Clause 4.1. There is a detailed guide to ISO 27001 Clause 4.1 Understanding The Organisation And Its Context.

DO IT YOURSELF

ISO 27001

The Ultimate ISO 27001 Toolkit
ISO 27001 Toolkit Business Edition

ISO 27001 Context of Organisation Template

The comprehensive ISO 27001 Context of Organisation Template is designed to fast track your implementation and give you an exclusive, industry best practice ISO 27001 Template that is pre written and ready to go. It is complete with common internal issues, external issues and interested parties to take the guess work out.

ISO 27001 Context of Organisation Template

ISO 27001 Context of Organisation Example

This is a great example of the ISO 27001 Context of Organisation . Taking the first 3 pages being the contents of what it includes. You can also view a detailed

You can view a detailed example ISO 27001 Context of Organisation PDF.

ISO 27001 Context of Organisation Example 1
ISO 27001 Context of Organisation Example 2
ISO 27001 Context of Organisation Example 3

ISO 27001 Internal Issues and Examples

What are ISO 27001 Internal Issues?

ISO 27001 Internal Issues are the things internal to the organisation that could impact the information security management system. These are typically in the control of the organisation and the organisation is often able to influence them directly.

If we consider examples of internal issues we can consider the following:

  • Having competent and experienced resources to run and information security management system (ISMS)
  • Having the support and buy in of the board, shareholders and leadership
  • Having an affective governance structure in place

ISO 27001 External Issues and Examples

ISO 27001 External Issues are the things external to the organisation that could impact the information security management system. These are typically outside the control of the organisation and the organisation is often unable to influence them directly.

If we consider examples of internal issues we can consider the following:

  • Legal and Regulatory Requirements
  • The ecomomy
  • The availability of effective workforce
  • Competitors
  • Global Politics

ISO 27001 Interested Parties and Examples

ISO 27001 Interested Parties are the people, both internal and external to the organisation, that have requirements and expectations on the information security management system. Their requirements may require changes to the information security management system and the information security controls that are implemented.

Examples of ISO 27001 Interested Parties

  • Shareholders
  • Customers
  • Staff
  • Regulators
  • Law Makers
  • Auditors

How to implement ISO 27001 Context of Organisation

How to write the context of organisation document

In this first YouTube tutorial video we show you how to create and ISO 27001 Context Document and Walkthrough the ISO 27001 Context of Organisation Template

How to implement the context of organisation requirement

In this second YouTube tutorial video we show you how to implement the requirements of the standard and specifically How to implement ISO 27001 Clause 4.1 Understanding The Organisation And Its Context

ISO 27001 Context of Organisation Contents Page

First we are going to look at the context of organisation contents. As we go through the creation of our document we are going to look at

  • Document Contents Page
  • Introduction
  • Internal Issues Overview
  • External Issues Overview
  • Internal Issues
  • External Issues
  • Interested Parties

ISO 27001 Context of Organisation FAQ

What is the purpose of the ISO 27001 Context of Organisation Document?

The purpose of the ISO 27001 context of organisation document is ensure the information security management system is effective by identifying the internal issues, external issue and interested parties requirements and ensuring that they are addressed.

Why is the ISO 27001 Context of Organisation Document important?

The effectiveness of the information security management system can be directly and negatively affected by interested parties, internal issues and external issues. By documenting what they are and doing a full assessment you have the best chance to address them and ensure an effective management system from the implementation stage all the way through its operational lifecycle.

Who is responsible for ISO 27001 Context of Organisation?

Responsibility will vary from company to company but usually the ISO 27001 context of organisation is the responsibility of the information security manager.

What is the ISO 27001 Context of Organisation Principle?

Internal and external issues as well as the requirements of interested parties should be addressed directly in the information security management system (ISMS)

How do you identify internal issues?

You identify internal issues by conducing analysis and working to the best practice ISO 27001 context of organisation template that is populated with common examples.

How do you identify external issues?

You identify external issues by conducing analysis and working to the best practice ISO 27001 context of organisation template that is populated with common examples.

How do you identify interested parties?

There are many tools and techniques to identify interested parties including doing a stakeholder analysis.

Where can I get an ISO 27001 Context of Organisation Template?

High Table have an exclusive, fully populated ISO 27001 Context of Organisation Template you can download.

Is the ISO 27001 Context of Organisation included in the ISO 27001 Toolkit?

The ISO 27001 Context of Organisation template is included in the Ultimate ISO 27001 Toolkit.

Where can I get an example ISO 27001 Context of Organisation PDF?

You can download the example ISO 27001 Context of Organisation PDF at the High Table website.

Which ISO 27001 clause covers context of organisation?

ISO 27001 Clause 4.1 Understanding The Organisation And Its Context

ISO 27001 QUICK LINKs

ISO 27001 Clauses

ISO 27001 Clause 4.1 Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 Information Security Management System

ISO 27001 Clause 5.1 Leadership and Commitment

ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.2 Information Security Risk Assessment

ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 7.1 Resources

ISO 27001 Clause 7.2 Competence

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.4 Communication

ISO 27001 Clause 7.5.1 Documented Information

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 Control of Documented Information

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Clause 8.3 Information Security Risk Treatment

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.3 Management Review

ISO 27001 Clause 10.1 Continual Improvement

ISO 27001 Clause 10.2 Nonconformity and Corrective Action

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.30 ICT readiness for business continuity – new

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing

People Controls - A6

ISO 27001 Annex A 6.1 Screening

ISO 27001 Annex A 6.2 Terms and conditions of employment

ISO 27001 Annex A 6.3 Information security awareness, education and training

ISO 27001 Annex A 6.4 Disciplinary process

ISO 27001 Annex A 6.5 Responsibilities after termination or change of employment

ISO 27001 Annex A 6.6 Confidentiality or non-disclosure agreements

ISO 27001 Annex A 6.7 Remote working – new

ISO 27001 Annex A 6.8 Information security event reporting 

 

Physical Controls - A7

ISO 27001 Annex A 7.1 Physical security perimeter

ISO 27001 Annex A 7.2 Physical entry controls

ISO 27001 Annex A 7.3 Securing offices, rooms and facilities

ISO 27001 Annex A 7.4 Physical security monitoring

ISO 27001 Annex A 7.5 Protecting against physical and environmental threats

ISO 27001 Annex A 7.6 Working in secure areas

ISO 27001 Annex A 7.7 Clear desk and clear screen

ISO 27001 Annex A 7.8 Equipment siting and protection

ISO 27001 Annex A 7.9 Security of assets off-premises

ISO 27001 Annex A 7.10 Storage media – new

ISO 27001 Annex A 7.11 Supporting Utilities

ISO 27001 Annex A 7.12 Cabling Security

ISO 27001 Annex A 7.13 Equipment Maintenance

ISO 27001 Annex A 7.14 Secure Disposal or Re-Use of Equipment