ISO 27001 understanding the organisation and its context
Understanding the organisation and its context is a slightly misleading title for this ISO 27001 Clause. As one of the ISO 27001 controls what it is really asking you is to understand and manage what it calls internal and external issues. It would have been better to call it ISO 27001 Clause 4.1 Internal and External Issues but ours is not to argue.
You will learn what ISO clause 4.1 is, how to simply and easily implement it for ISO 27001 Certification and I will show you some common gotchas so you can avoid them.
Table of contents
- ISO 27001 understanding the organisation and its context
- What is ISO 27001 Clause 4.1 Understanding The Organisation And Its Context?
- ISO 27001 Clause 4.1 Requirement
- ISO 27001 Templates
- ISO 27001 Clause 4.1 Implementation Guide
- How do I comply with ISO 27001 Clause 4.1?
- How do I pass an audit of ISO 27001 Clause 4.1?
- What will the audit check?
- Top 3 Mistakes People Make for ISO 27001 Clause 4.1
- Why is ISO 27001 Clause 4.1 important?
- Who is responsible for ISO 27001 Clause 4.1?
- What are the benefits of ISO 27001 Clause 4.1?
- ISO 27001 Clause 4.1 FAQ
What is ISO 27001 Clause 4.1 Understanding The Organisation And Its Context?
ISO 27001 Clause 4.1 requires you to understand the internal and external issues that could impact your information security management system.
An information security management system is made up of the ISO 27001 documents, ISO 27001 policies and processes that deliver your information security controls and keeps you safe.
Internal and external issues is just another way of saying risks.
So the clause is asking you to consider and record what internal and external risks there are to your information security management system.
What could stop your information security management system from being able to achieve its outcomes.
ISO 27001 Clause 4.1 Purpose
The purpose of clause 4.1 is to make sure you have considered what the risks are to your information security management system and that you are managing them effectively.
ISO 27001 Clause 4.1 Definition
The ISO 27001 standard defines ISO 27001 clause 4.1 as:
The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system
ISO 27001:2022 Clause 4.1 Understanding The Organisation And Its Context
ISO 27001 Clause 4.1 Requirement
The requirement of ISO 27001 Clause 4.1 is to understand your own context and document how it might impact your information security management system. Specifically how it might impact the outcomes of your information security management system.
By and large this is a quick and easy win and it sets out exactly what it wants from you.
The standard wants you to determine what are the internal issues and external issues that you face.
In reality, if you have these written down with the appropriate document mark up a certification auditor is unlikely to dig too deeply.
We created a pre populated downloadable ISO 27001 Clause 4.1 template, but more on that later.
ISO 27001 Templates
ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. Not interested in ISO 27001 templates, then you can skip to the next section.
The ISO 27001 Context Of Organisation template fully satisfies the requirements of ISO 27001 Clause 4.1 and is pre written with common examples. Available as individual download it is also part of the internationally best selling and award winning ISO 27001 Toolkit.
The Most Ruthlessly Effective and Aggressively Priced ISO 27001 Toolkit in the World.
Join over 1,500+ Empowered Consultants & Business Owners
ISO 27001 Clause 4.1 Implementation Guide
How to write ISO 27001 Internal and External Issues
When recording the ISO 27001 Internal and External Issues the standard does not say that you should only record the negative. Do not go out of your way to find and report the negative. It may be that you have considered an internal or external issue and that, in fact, for you, it is not an issue. If you write down the issues and then write an explanation, either positive or negative, it will show that you considered it.
If the explanation is positive, it shows that you considered it and some smart ass auditor won’t raise it as a problem thinking they have got one over on you. You can say, yes, we considered it, we documented it and for us, it is not an issue.
If the explanation is negative, in that you do have an issue, then describe the issue and indicate whether or not you have raised a risk in the risk register to address it. It would be expected and good practice for each issue that is an issue, to be in the risk register and managed via risk management.
What are ISO 27001 Internal Issues?
When considering internal issues, the following can be a great guide.
- governance, organizational structure, roles and accountabilities.
- policies, objectives, and the strategies that are in place to achieve them.
- capabilities, understood in terms of resources and knowledge (e.g., capital, time, people, processes, systems and technologies).
- the relationships with and perceptions and values of internal stakeholders.
- the organization’s culture.
- information systems, information flows and decision-making processes (both formal and informal).
- standards, guidelines and models adopted by the organization; and
- form and extent of contractual relationships.
ISO 27001 Clause 4.1 internal issues examples
| Internal Issue | Example Internal Issue |
|---|---|
| People | Internally there are no resources trained or experienced in the delivery of ISO 27001. |
| Time | The implementation and management of the information security management system and of the supporting controls requires a significant time investment from key departments and key individuals. |
| Organisational Structure | The structure of the organisation currently does not fully support the information security management implementation and on-going management. Changes will be required. |
| Technologies | The company uses off the self, standard applications under license. |
| Availability of reliable, qualified and competent work force | There is strong competition in the market for resources for x technology. |
| Company Objectives | The company objectives are aligned with the information security objectives. |
What are ISO 27001 External Issues?
The following is a great guide for what to consider to external issues.
- the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local.
- key drivers and trends having impact on the objectives of the organization; and
- relationships with perceptions and values of external stakeholders.
ISO 27001 Clause 4.1 external issues examples
| External Issue | Example External Issue |
|---|---|
| Economic Climate | [Consider the current economic climate and its impact on the business and the information security management system.] |
| Technology Advances | [Consider the impact of technology changes on the business and information security management system.] |
| Competition | [Consider the place within the marketplace and the stage and maturity of the business. Consider comparing the information security management system and approach to that of the competition.] |
| Legislation changes | [Consider the impacts of Data Privacy laws, impacts of topics such as Brexit.] |
| Relationships with external stakeholders | [Consider the relationship with external stakeholders positive / negative describing the reporting and structure] |
How do I comply with ISO 27001 Clause 4.1?
To comply with ISO 27001 Clause 4.1 you are going to implement the ‘how’ to the ‘what’ the clause is expecting. You are going to
- Write a Context of Organisation document
- Identify and record your internal issues that could impact the information security management system
- Identify and record your external issues that could impact the information security management system
- Decide if the issues identified require risk management via the the risk register and risk management process
How do I pass an audit of ISO 27001 Clause 4.1?
To pass an audit of ISO 27001 Clause 4.1 you are going to make sure that you have followed the steps above in how to comply.
You are then going to conduct an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.
What will the audit check?
The audit is going to check a number of areas for compliance with Clause 4.1. Lets go through them
1. That you have documented your internal and external issues
The simplest way to do this is with the fully populated ISO 27001 Context of Organisation Template.
2. That you are risk managing internal and external issues
If you identify an internal issue or external issue that can impact the information security management system and you are not addressing it directly then you need to manage it via risk management. This means as a minimum putting it on the risk register and following your risk management process. Be sure to link the issue to the risk by cross referencing.
3. That you have approved the included common issues
Auditors like to raise common internal and external issues that they have seen else where so it is good practice to list out in full internal and external issues that could impact your information security management system whether they apply to you or not. If they do not apply to you, record them and say that they do not apply to you and why. In this way you can show that you have done a thorough job and avoid awkward questions or the auditor raising points that you have considered but placed out of scope. You have recorded them, they don’t apply, you can evidence why not.
Top 3 Mistakes People Make for ISO 27001 Clause 4.1
In my experience, the top 3 mistakes people make for ISO 27001 clause 4.1 are
1. You have no evidence that anything actually happened
You need to keep records and minutes and documented evidence. Recording internal and external issues that apply and those that do not shows a thorough understand of the requirement and will avoid awkward questions.
2. You did not link to risk management
Where an internal issue or external issue was identified but you cannot satisfy it you should have this on the risk register and managed via risk management. This is often missed. If you identify an issue and do nothing about, or cannot evidence that you have done something about it, it will be raised as a non conformity.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Why is ISO 27001 Clause 4.1 important?
ISO 27001 Clause 4.1 is important because it allows you to understand what can impact your information security management system so you can address it. By understanding the internal and external issues that could impact the information security management system allows to you to plan for them, mitigate and manage them and as a result increase in the effectiveness of the information security management system in meeting the business objectives and needs.
Who is responsible for ISO 27001 Clause 4.1?
Senior management are responsible for ensuring that ISO 27001 Clause 4.1 is implemented and maintained.
What are the benefits of ISO 27001 Clause 4.1?
Other than your ISO 27001 certification requiring it, the following are benefits of implementing ISO 27001 Annex A 4.1:
- Improved security: You will have an effective information security management system that address known internal and external issues that could impact it
- Reduced risk: You will reduce the risk to your information security management system by identifying those risks and addressing them
- Improved compliance: Standards and regulations require context of organisation to be in place
- Reputation Protection: In the event of a breach having effectively managed risks to the management system will reduce the potential for fines and reduce the PR impact of an event
ISO 27001 Clause 4.1 FAQ
You think of internal and external issues as risks. What are the things that you are facing that you need to address. Internal issues could be related to having the staff and the skills to operate ISO 27001. External issues could be changes in the law or regulations in your industry. Internal and external issues inform how you build your Information Security Management System (ISMS). You demonstrate that you have considered them when it comes time for the ISO 27001 certification audit.
There are no changes to ISO 27001:2022 Clause 4.1 in the 2022 update.
Examples of ISO 27001 internal issues would be people. Do you have the right people to build, implement and run the Information Security Management System. Time would be an internal issue to address, recording if staff have the time to dedicate to the requirements of the standard. Company objectives is another example that you would consider whether your information security management system was, or was not, aligned with the objectives of the company.
External issues are risks that come from outside the organisation. Examples of ISO 27001 external issues would include changes to the law that may change how you do certain things or put additional requirements on you. Consider the GDPR and the challenges that that brought to business.
Yes. It is not enough to know them, you must also document them so that you can evidence that you considered them. It is best practice to share these at the Management Review Team and minute the fact that they were shared and they were signed off and accepted.
ISO 27001 Clause 4.1 requires and organisation to understand the internal and external issues that could impact the information security management system.
You can download the ISO 27001 Context of Organisation Template
It is not very hard. If you use the ISO 27001 Context of Organisation Template the work has been done for you.
ISO 27001 Clause 4.1 will take approximately 1 day to complete if you are starting from nothing and doing it yourself. With the ISO 27001 Context of Organisation Template is should take you about 15 minutes.
The cost of ISO 27001 Clause 4.1 will depend how you go about it. If you do it yourself it will be free but will take you about 1 day so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download the ISO 27001 Context of Organisation Template you are looking at less than ten pounds / dollars.