Table of contents
Introduction
In this ultimate guide to the ISO 27001 Organisation Overview you will learn
- What is an ISO 27001 Organisation Overview
- How to implement an ISO 27001 Organisation Overview
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
What is the ISO 27001 Organisation Overview?
The Organisation Overview collates all the information about your organisation that could and does inform and influence the information security management system.
It is information that you know and brings it together into a hand document to share with auditors and third parties to bring them up to speed on who you are quickly.
We document an overview of who we and at the same time we define the ISO 27001 Context of Organisation requirements.
It will save you time in the long run and is easy to create and record.
Purpose
The purpose of the ISO 27001 Organisation Overview is to be able to demonstrate to auditors that the information security management system (ISMS) that we have built has been built based on knowledge of the organisation, to meet the needs of the organisation.
Defintion
The ISO 27001 Organisation Overview is documented information that relates to our organisation which we use to influence and inform the building of our information security management system (ISMS).
Typically it covers who we are, what we do, where we are located, what our mission statement is, what our organisation objectives are and what our values are.
How does it work?
ISO 27001 is an information security management system for your organisation. As it is designed for your organisation you are going to want to tailor certain aspects of it to your needs.
When it comes to the certification audit the auditor is going to want to look at the connection between who you are and the ISMS you have deployed.
ISO 27001 Organisation Overview Template
The ISO 27001 organisation overview template:
How to write an ISO 27001 Organisation Overview
Every journey starts with a first step
The first step on the journey is to understand who you are. This is the easiest of all the steps. You certainly know who you are. For the purposes of the ISO 27001 certification you are going to want to write that down. The benefits of writing it down are
- It will meet the needs of the standard
- It will set a common vision and answer to who you are
- You can share with staff, new employees and those new to the organisation
To implement an ISO 27001 Organisation Overview you are going to document the following:
About us
A brief textual overview of who you are. Often people take this from their marketing materials or about us page on their website. Keep it high level but include enough information so someone that does not know you can quickly understand about you.
Your Products and Services
A list of your products and services as your customer would know them. A comprehensive list of what it is that you sell and / or provide to customers.
Your Locations
A list of the locations both real and virtual that company uses. Include as much details as you can from addresses if known to regions or countries for cloud services.
Your Mission Statement
What your companies mission is. If you have one and you know it.
Your Values
The values of the company.
Your Business Objectives
What is the business hoping to achieve over the next 12 months and the long term.
Why it contains these points
Each of the points above can directly influence and impact aspects of the information security management system and how you go about managing risks and controls.
Watch the Tutorial
Watch How to create an ISO 27001 Organisation Overview – inc ISO 27001 Template Walkthrough
ISO 27001 Organisation Overview FAQ
It is a document that describes who you are. You use the Organisation Overview to explain to auditors, clients and employees who you are, what your business objectives are, what your values are. It allows you to show, and to make, a connection to the implementation of the information security management system based on who you are.
Yes. And no. You need to be able to show the connection between who you are and why the information security management system is built and implemented the way it is. The information is straightforward and you may have it in other locations. This is fine. It is just easier all round to collate that information into one document and one place to smooth the process of audits.
The easiest format to record it in is Microsoft Word document. Any word processing package will do.
In reality it used as part of the audit process to demonstrate the connection between who you are and the information security management system you have deployed.
You can get a downloadable Organisation Overview Template at High Table the ISO 27001 Company.
It contains information about you. It will include an overview of who you are, what you do, what your business objectives are, what your values are. All information that you already know. As it is all about you.
Organisation Overview is covered in ISO 27001:2022 Clause 4.1 Understanding The Organisation And Its Context