Table of contents
- ISO27001 Understanding the Organisation and Its Context
- Watch
- What Is It?
- Purpose
- Definition
- ISO27001 AMENDMENT 1: Climate action changes
- Requirement
- ISO27001 Context of Organisation Template
- How to write ISO27001 Internal and External Issues
- What are ISO27001 Internal Issues?
- Example Internal Issues
- What are ISO27001 External Issues?
- Example External Issues
- How to comply
- How to pass an audit
- What will the auditor check?
- Top 3 Mistakes People Make
- ISO27001 Clause 4.1 FAQ
ISO27001 Understanding the Organisation and Its Context
I am going to show you what ISO27001 Clause 4.1 Understanding The Organisation And Its Context is, what’s new, give you ISO27001 templates, an ISO27001 toolkit, show you examples, do a walkthrough and show you how to implement it.
I am Stuart Barker the ISO27001 Ninja and using over two decades of experience on hundreds of ISO27001 audits and ISO27001 certifications I show you exactly what changed in the ISO27001:2022 update and exactly what you need to do for ISO27001 certification.
Watch
Watch – How to implement ISO27001 Clause 4.1 Understanding The Organisation And Its Context
What Is It?
ISO27001 Clause 4.1 requires you to understand the internal and external issues that could impact your information security management system.
An information security management system is made up of the ISO27001 documents, ISO27001 policies and processes that deliver your information security controls and keeps you safe.
Internal and external issues is just another way of saying risks.
So the clause is asking you to consider and record what internal and external risks there are to your information security management system (ISMS).
What could stop your information security management system from being able to achieve its outcomes.
Purpose
The purpose of clause 4.1 is to make sure you have considered what the risks are to your information security management system (ISMS) are and that you are managing them effectively.
Definition
The definition was amended in February 2024. The amendment is referred to as Amendment 1: Climate action changes. The amendment added the following sentence at the end of the sub-clause – ‘ The organisation shall determine whether climate change is a relevant issue.’
The ISO27001 standard defines ISO27001 clause 4.1 as:
The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.
The organisation shall determine whether climate change is a relevant issue.
ISO27001:2022 Clause 4.1 Understanding The Organisation And Its Context
ISO27001 AMENDMENT 1: Climate action changes
In February 2024 for now reason what so ever the standard was amended to include climate change. It can be argued that this has nothing to do with information security but the following sentence was added to the clause
AMENDMENT 1: Climate action changes
The organisation shall determine whether climate change is a relevant issue.
ISO27001:2022 Clause 4.1 Amendment 1
It is advisable for minimum impact to add a sentence to your context of organisation document that states something similar to
Climate change was reviewed and not deemed to be a relevant issue at this time.
You can read more details on the changes in ISO27001:2022 Amendment 1: – Absolutely Everything You Need to Know.
Requirement
The requirement of ISO27001 Clause 4.1 is to understand your own context and document how it might impact your information security management system. Specifically how it might impact the outcomes of your information security management system.
By and large this is a quick and easy win and it sets out exactly what it wants from you.
The standard wants you to determine what are the internal issues and external issues that you face.
In reality, if you have these written down with the appropriate document mark up a certification auditor is unlikely to dig too deeply.
We created a pre populated the downloadable ISO27001 Clause 4.1 template.
ISO27001 Context of Organisation Template
The ISO27001 Context Of Organisation template fully satisfies the requirements of ISO27001 Clause 4.1 and is pre written with common internal issues examples and common external issues examples. Available as individual download it is also part of the internationally best selling and award winning ISO27001 Toolkit.
DO IT YOURSELF ISO27001
STOP SPANKING £10,000s
March Deal – SAVE 50%
How to write ISO27001 Internal and External Issues
When recording the ISO27001 Internal and External Issues the standard does not say that you should only record the negative. Do not go out of your way to find and report the negative. It may be that you have considered an internal or external issue and that, in fact, for you, it is not an issue. If you write down the issues and then write an explanation, either positive or negative, it will show that you considered it.
If the explanation is positive, it shows that you considered it and some smart ass auditor won’t raise it as a problem thinking they have got one over on you. You can say, yes, we considered it, we documented it and for us, it is not an issue.
If the explanation is negative, in that you do have an issue, then describe the issue and indicate whether or not you have raised a risk in the risk register to address it. It would be expected and good practice for each issue that is an issue, to be in the risk register and managed via risk management.
What are ISO27001 Internal Issues?
Internal issues in the context of ISO27001 are issues that could impact the effective operation of the information security management system (ISMS). Think of them as risks to the information security management system (ISMS) meeting it’s intended outcomes. These are the things that are internal to your organisation that, on the most part, you have some control over.
When considering internal issues, the following can be a great guide:
- governance, organisational structure, roles and accountabilities
- policies, objectives, and the strategies that are in place to achieve them
- capabilities, understood in terms of resources and knowledge (e.g., capital, time, people, processes, systems and technologies)
- the relationships with and perceptions and values of internal stakeholders
- the organisation’s culture
- information systems, information flows and decision-making processes (both formal and informal)
- standards, guidelines and models adopted by the organisation; and
- form and extent of contractual relationships
Example Internal Issues
ISO27001 Clause 4.1 internal issues examples
Internal Issue | Example Internal Issue |
---|---|
People | Internally there are no resources trained or experienced in the delivery of ISO27001. |
Time | The implementation and management of the information security management system and of the supporting controls requires a significant time investment from key departments and key individuals. |
Organisational Structure | The structure of the organisation currently does not fully support the information security management implementation and on-going management. Changes will be required. |
Technologies | The company uses off the self, standard applications under license. |
Availability of reliable, qualified and competent work force | There is strong competition in the market for resources for x technology. |
Company Objectives | The company objectives are aligned with the information security objectives. |
What are ISO27001 External Issues?
The following is a great guide for what to consider to external issues.
- the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local.
- key drivers and trends having impact on the objectives of the organization; and
- relationships with perceptions and values of external stakeholders.
Example External Issues
External issues in the context of ISO27001 are issues that could impact the effective operation of the information security management system (ISMS). These are the things that are external to your organisation that, on the most part, you have no real control over.
ISO27001 Clause 4.1 external issues examples
External Issue | Example External Issue |
---|---|
Economic Climate | [Consider the current economic climate and its impact on the business and the information security management system.] |
Technology Advances | [Consider the impact of technology changes on the business and information security management system.] |
Competition | [Consider the place within the marketplace and the stage and maturity of the business. Consider comparing the information security management system and approach to that of the competition.] |
Legislation changes | [Consider the impacts of Data Privacy laws, impacts of topics such as Brexit.] |
Relationships with external stakeholders | [Consider the relationship with external stakeholders positive / negative describing the reporting and structure] |
How to comply
To comply with ISO27001 Clause 4.1 you are going to implement the ‘how’ to the ‘what’ the clause is expecting. You are going to
- Write a Context of Organisation document
- Identify and record your internal issues that could impact the information security management system
- Identify and record your external issues that could impact the information security management system
- Decide if the issues identified require risk management via the the risk register and risk management process
How to pass an audit
To pass an audit of ISO27001 Clause 4.1 you are going to make sure that you have followed the steps above in how to comply.
You are then going to conduct an internal audit, following the How to Conduct an ISO27001 Internal Audit Guide.
What will the auditor check?
The auditor is going to check a number of areas for compliance with Clause 4.1. Lets go through them
1. That you have documented your internal and external issues
The simplest way to do this is with the fully populated ISO27001 Context of Organisation Template.
2. That you are risk managing internal and external issues
If you identify an internal issue or external issue that can impact the information security management system and you are not addressing it directly then you need to manage it via risk management. This means as a minimum putting it on the risk register and following your risk management process. Be sure to link the issue to the risk by cross referencing.
3. That you have approved the included common issues
Auditors like to raise common internal and external issues that they have seen else where so it is good practice to list out in full internal and external issues that could impact your information security management system whether they apply to you or not. If they do not apply to you, record them and say that they do not apply to you and why. In this way you can show that you have done a thorough job and avoid awkward questions or the auditor raising points that you have considered but placed out of scope. You have recorded them, they don’t apply, you can evidence why not.
Top 3 Mistakes People Make
In my experience, the top 3 mistakes people make for ISO27001 clause 4.1 are
1. You have no evidence that anything actually happened
You need to keep records and minutes and documented evidence. Recording internal and external issues that apply and those that do not shows a thorough understand of the requirement and will avoid awkward questions.
2. You did not link to risk management
Where an internal issue or external issue was identified but you cannot satisfy it you should have this on the risk register and managed via risk management. This is often missed. If you identify an issue and do nothing about, or cannot evidence that you have done something about it, it will be raised as a non conformity.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO27001 Clause 4.1 FAQ
What are internal and external issues in ISO27001?
You think of internal and external issues as risks. What are the things that you are facing that you need to address. Internal issues could be related to having the staff and the skills to operate ISO27001. External issues could be changes in the law or regulations in your industry. Internal and external issues inform how you build your Information Security Management System (ISMS). You demonstrate that you have considered them when it comes time for the ISO27001 certification audit.
There are no changes to ISO27001:2022 Clause 4.1 in the 2022 update.
Examples of ISO27001 internal issues would be people. Do you have the right people to build, implement and run the Information Security Management System. Time would be an internal issue to address, recording if staff have the time to dedicate to the requirements of the standard. Company objectives is another example that you would consider whether your information security management system was, or was not, aligned with the objectives of the company.
External issues are risks that come from outside the organisation. Examples of ISO27001 external issues would include changes to the law that may change how you do certain things or put additional requirements on you. Consider the GDPR and the challenges that that brought to business.
Yes. It is not enough to know them, you must also document them so that you can evidence that you considered them. It is best practice to share these at the Management Review Team and minute the fact that they were shared and they were signed off and accepted.
ISO27001 Clause 4.1 requires and organisation to understand the internal and external issues that could impact the information security management system.
You can download the ISO27001 Context of Organisation Template
It is not very hard. If you use the ISO27001 Context of Organisation Template the work has been done for you.
ISO27001 Clause 4.1 will take approximately 1 day to complete if you are starting from nothing and doing it yourself. With the ISO27001 Context of Organisation Template is should take you about 15 minutes.
The cost of ISO27001 Clause 4.1 will depend how you go about it. If you do it yourself it will be free but will take you about 1 day so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download the ISO27001 Context of Organisation Template you are looking at less than ten pounds / dollars.
Other than your ISO27001 certification requiring it, the following are benefits of implementing ISO27001 Annex A 4.1:
Improved security: You will have an effective information security management system that address known internal and external issues that could impact it
Reduced risk: You will reduce the risk to your information security management system by identifying those risks and addressing them
Improved compliance: Standards and regulations require context of organisation to be in place
Reputation Protection: In the event of a breach having effectively managed risks to the management system will reduce the potential for fines and reduce the PR impact of an event
Senior management are responsible for ensuring that ISO27001 Clause 4.1 is implemented and maintained.
ISO27001 Clause 4.1 is important because it allows you to understand what can impact your information security management system so you can address it. By understanding the internal and external issues that could impact the information security management system allows to you to plan for them, mitigate and manage them and as a result increase in the effectiveness of the information security management system in meeting the business objectives and needs.