hi I’m Stuart Barker, the ISO 27001 Ninja. This is going to be a deep dive into ISO 27001 Understanding The Organisation And Its Context, looking at how you should implement it, what the requirements are, what an audit is going to look for, what the mistakes are, the common mistakes that people make.
On my website hightable.io there is a menu item called ‘learn’. Click on the learn drop down and you will see an ISO 27001 reference guide. All of the blogs that I’m going to be going through are on there. Every Clause. Clause by Clause.
Also be sure to subscribe to my YouTube ISO 27001 YouTube Channel.
Watch
What is Understanding The Organisation And Its Context
This is about what they call internal and external issues so there are internal and ex external issues. What Understanding The Organisation And Its Context really is, what are internal and external Issues?
What are internal and external issues?
You could use the terminology risks but they relate specifically, to your information security management system and your ability to operate an effective ISMS, an information security management system. So what are we looking at? We’re looking at internal issues that might stop us from achieving our objectives and we’re looking at some of the requirements around that which we’ll come on to on a on a late on a later blog.
The purpose of Understanding The Organisation And Its Context
The purpose of Understanding The Organisation And Its Context is to make sure you have considered the risks to your information security management system and that you’re managing them effectively.
We want a management system that is highly effective, we want to understand what the risks are so that we can mitigate those. If I give you a definition:
The ISO 27001 standard definition of Understanding The Organisation And Its Context:
The organisation shall determine external and internal issues that are relevant to its purpose and that affects its ability to achieve the intended outcomes of its information security management system.
Yes this is the 2022 version of the standard and that is the word for word definition.
The requirement
The requirement of Understanding The Organisation And Its Context is, as we say, is to identify what internal and external issues are and mitigate them.
What I need you to remember as we come back to this and we go through these, ISO 27001 as a standard is only 10 pages long, it doesn’t give you much more than that than the words I’ve just given to you but through decades of experience I’m going to show you how you can implement that and what the audit is going to look for.
The Annex A controls are separate they have their own blogs, for now what we’re doing is we’re going through the 27001 Clauses.
ISO 27001 Templates
There are a series of templates, I have released the ISO 27001 toolkit onto the market, over 4,000 people globally, which continues to shock me, have you used my approach, my videos, my templates, my toolkit to successfully achieve ISO 27001 certification.
DO IT YOURSELF
ISO 27001
Context of Organisation Template
There are specific templates around the context of organisation including internal and external issues, ones that come up time and time again, pre-written, pre-populated and ready to go and it gives you guidance on how you can consider those and adopt those and build upon them but worst case scenario you could just download it and off you are and off you going.
ISO 27001 Internal Issues Examples
Let’s have a look at a couple of examples of what internal issues could be. Again these are common, these come up time and time with every client engagement over the years.
Internal issues could be things like people, it could be things like time, it could be organisational structure, it could be the technologies that you’ve got, the availability of reliable qualified and experienced resources to be able to help you to run it and it could be internal issues around the company objectives if they don’t align with your information security objectives.
Internal and External Issues Implementation Guidance
Okay so let me give you some Internal and External Issues Implementation Guidance guidance. When we are writing our internal and our external issues what we’re going to do is we’re going to list out what those issues are and we’re going to record within our context of organisation document positives and negatives.
So what we’re going to say is, let’s give some examples, we said people, one example where people could be an internal issue is internally there are no resources is trained or experienced in the delivery of ISO 27001. That comes up time and time again. So that would be a negative, a negative note associated with that internal issue.
If we have a negative note associated with an internal issue, what we’re going to do is we are going to have a risk register item. So we’re going to manage it through risk Management. We’re going to show what our mitigation plan is. We’re going to show what it is that we’re going to be doing about it moving forward and how we’re going to address that but here is a top tip.
ISO 27001 Ninja top tip, my top tip is – if there is a positive to the identified issue or potential issue then write the positive. So the positive to people could be internally there ARE people trained and there ARE people experienced in the delivery of ISO 27001. Is it on the risk register? No.
Why would I give you the top tip to record positive and negative? The reason that I do it is when it comes to going for our certification audit, and I say this time and time again, play the auditor not the standard. Every auditor is different, everybody approaches it differently, every auditor has an opinion and over the years the internal issues and external issues that I am giving you are ones that have come up.
If you haven’t documented it for 27001, if it isn’t written down, it doesn’t exist. If you have not documented it, it doesn’t exist and what an auditor will like to do is try and catch you out. So they’ll say, well did you not consider people as an internal issue? So if it was a positive and you hadn’t recorded it you’re going to look a bit on the back foot? Like you’re saying, oh yeah of course we did. But what we like to do is say no, we’ve considered all of these internal issues, positive or negative, and we have recorded against them our position as an organisation .
So it’s just about smoothing that audit process. It’s about helping that auditor, giving them as much information as we can so that they can make an effective judgment against us and whether our information security management system is working or not. Let’s have a look at another couple of fast examples.
Examples of Internal Issues
Time
What could be the issues with time? Time could be that you haven’t got enough time to dedicate to the management system. You know the organisation is working too much on Commercial products. Positive and negative. You do have time you don’t have time. Operation and organisational structures could be an issue for you. It could be that you’re part of a group structure, it could be you are part of an international structure, or it could be more micro than that, but those organisational structures could present you with some challenges around meeting your objectives. Again if they don’t put the positive down, we have considered it, and it is not an issue for us.
Technologies
Technologies that you use may potentially prevent or introduce a risk, an issue, for you if you’re using bleeding edge technologies or the way that you’re using it.
For more examples and details go to the How To Implement ISO 27001 Clause 4.1 and Pass the Audit
The table is on there, the examples are on there, the template is on there, you can download it, it’s all fully populated and it’s all included. So let’s have a little look at what external issues are.
Examples of External Issues
External issues are external risks to our information security management system. So these are things that are outside of your internal organisation that you have considered that could impact your information security management system. What could be examples of that? Well the economic climate could be one, technological advances, competition legislation, changes and relationships with external stakeholders. There are more. These are just examples that I’m giving you that could be external issues that affect you and again this is because we’ve been asked by Auditors, not every auditor asked the same question, every auditor is different but if we cover all of their requirements when they do pop up at least we’ve you know we’ve got them and we’re in our best place.
Economic Climate
So the economic climate, during a pandemic you know, the availability of resources the availability of finances, could be impeded, that could impact us and therefore we would want a risk register and a risk item and to manage that through risk, or it could be that the economic climate is actually positive and is affecting us in a positive way to deliver our management system and therefore it doesn’t need a risk but we’re just going to record it.
Technology Advances
Technological advances as well if you’re working in an area of say bleeding edge technology that could be something that’s going to come down or you’re relying on technologies that are going to be superseded out of date out or support, it’s a long time since I touched technology but if I imagine like Windows XP, Windows 12 whatever it used to be, you know I hear people talking these numbers and letters and saying you know this is going out of support on this date. If your entire infrastructure is built around it then you’ve got a problem you need to manage it and you need a risk on there.
Competition
Competition is on there. Why is competition on there? I’ve had couple of Auditors over the decades that have approached me on this and again just for consideration, competition actually could affect your information security management system due to them being a competitor I.E you know they’re seeking your intellectual property, they are a Threat Vector towards you or they want your staff you know and your ability then to deliver against your objectives for information security is going to be severely hindered. How do I comply?
How to comply with Understanding The Organisation And Its Context
You write your context of organisation document. You can download the template, it’s written for you, it’s got a guide, it’s got a video, it’s got everything you need or you could write your own, you identify and record your internal issues you identify and record your external issues you decide if those issues require a risk management and if they do you put them on your risk register and you follow your internal risk management process.
What will and auditor check?
So what is an audit going to check? When an auditor comes to you what an auditor will check and look for what kind of things are they going to check? Well they’re going to check for, for a start, that you have documented your internal and external issues.
So the simplest way of doing that is to use the context of organisation document, download the template blah blah blah but they’re going to make sure that you’ve documented it. As a rule if it isn’t written down it doesn’t exist. The more you document the easier your audit will be, the smoother the process isgoing to be.
The next thing that they’re going to check is that you are risk managing those internal and external issues so if that risk, if that internal external issue is a negative, then they’re going to be checking that you are managing it not just that you’ve recorded it and gone. What they want to see is that it’s on the risk register that you have either accepted the risk they’re going to see what the existing control was what the future control was they’re going to look at your risk scoring they look at minutes of meetings to make sure that you’ve discussed it they have to tie together your issues have to tie with your risk management and that you have approved and included common issues.
So I’ve said above I’ve given you some common examples but they’re going to look for them. These Auditors share knowledge amongst themselves they like to look for these things so they’re the things that an auditor is going to check.
The top 3 mistakes people make
What are the top three mistakes that people make? Well, the top three mistakes are – number one is you have no evidence that anything happened. So you need to keep records of everything minutes of meetings records of what you did as a bare minimum that document that lists out what your internal and external issues are. Some of the certification bodies will say you don’t need to write it down, technically maybe you don’t, but if we do, the benefit to us is we are going to make that process of audit so smooth and so easy giving and hand feeding that auditor it’s just going to make our life easier plus it gives future knowledge for staff turnover new people coming Etc
The biggest mistake, the number two biggest mistake that people make, is not linking it to risk management. We’ve discussed that in depth and the third biggest mistake which I cover on all of the videos is your documentation and Version Control is wrong. It’s a housekeeping element it’s not specific to this one particular Clause, does your Version Control look, has it been reviewed within the last 12 months, is there an owner, is there a classification, is there a version control does everything mirror up does it look, does it pass the sniff test as well as meeting the documentation standard and there documentation requirements get your documentation on point. Auditors love to say oh you called it 6.1 here but here you called it 6.2 or the last review date is 13 months ago and you say you do it every 12. Get everything refreshed. ‘oh this name Bob Jones is a document owner but you told me in the HR audit that Bob Jones has left’ – should have put a role in rather than a name? – so the we’re going to check on that.
What is it important?
Understanding The Organisation And Its Context is important for us because we need to understand whether or not our management system is going to be effective and we want to give it the best chance that we can give it and the way that we’re going to do that is spending time to identify any risks that could impact it. Now there is a process of continual Improvement built into ISO 27001 that’s going to continually improve this management system, internal audits, incidents you know, management review meetings blahblah blah we will come to those Clauses but we need to make sure that we’ve documented that we need to make sure that we’ve understood that and given our fledgling information security management system a fighting chance before it gets off the ground.
Who is responsible?
Responsibility for Understanding The Organisation And Its Context lies with Senior Management. Now they will probably delegate the doing to the information security manager, you know, if you’re unlucky maybe somebody in IT but the responsibility, the accountability, the buck stops with Senior Management and that is going to be the same with the majority of the Clauses, in fact, that’s all of the Clauses because it’s a leadership top-down standard.
Conclusion
I am Stuart Barker, the ISO 27001 Ninja, that is ISO 27001 clause 4.1 Understanding The Organisation And Its Context.
Be sure to subscribe to my ISO 27001 YouTube Channel, I am very needy, I need followers but you’re going to be in a good company as videos are watched tens of thousands of times and we we’re approaching thousands of followers on there. Now, I look forward to talking to you and educating you and sharing my knowledge and wisdom.