Introduction
In this tutorial we will cover Understanding The Organisation And Its Context.
You will learn what ISO 27001 Understanding The Organisation And Its Context is and how to implement it.
Table of contents
ISO 27001 Understanding The Organisation And Its Context
This is about what they call internal and external issues. You could use the terminology risks but they relate specifically to the information security management system and it’s ability to operate effectively. In this tutorial we are interested in the issues that might stop the ISMS from achieving it’s objectives.
Context of Organisation Template
Implementation Guide
General
In general you record issues even if they do not apply or are not an issues IF they could reasonably be expected to be an issue for you.
Document Internal Issues
Internal issues are issues that are in the control of the organisation to directly influence or address. Examples of internal issues would include:
- Time
What could be the issues with time? Time could be that you haven’t got enough time to dedicate to the management system. You know the organisation is working too much on Commercial products. Positive and negative. You do have time you don’t have time. Operation and organisational structures could be an issue for you. It could be that you’re part of a group structure, it could be you are part of an international structure, or it could be more micro than that, but those organisational structures could present you with some challenges around meeting your objectives. Again if they don’t then you should put the positive down and show that you have considered it and it is not an issue for you.
- Technologies
Technologies that you use may potentially prevent or introduce a risk, an issue, for you if you’re using bleeding edge technologies or the way that you’re using it.
For more examples and details go to the How To Implement ISO 27001 Clause 4.1 and Pass the Audit
The table is on there, the examples are on there, the template is on there, you can download it, it’s all fully populated and it’s all included. So let’s have a little look at what external issues are.
Document External Issues
External issues are issues that are not in the control of the organisation to directly influence or address. Examples of external issues would include:
- Economic Climate
The economic climate, for example during the pandemic, took a turn that meant the availability of resources and finances was impeded. That could impact you and therefore you would want a risk register and a risk item and to manage that through risk management. Another example could be that the economic climate is actually positive and is affecting you in a positive way to deliver your management system and therefore it doesn’t need a risk but you are just going to record it.
- Technology Advances
Technological advances and relying on technologies that are going to be superseded, out of date or out of support. If your entire infrastructure is built around it then you’ve got a problem and you need to manage it even if you accept it.
Manage issues via risk management
If you have an issue then it needs to have a risk register item and be managed via risk management.
Why is it important?
Understanding The Organisation And Its Context is important because you need to understand whether or not your management system is going to be effective. To do that you are going to spend time to identify any risks that could impact it.
There is a process of continual Improvement built into ISO 27001 that’s going to continually improve this management system but you need to make sure that you’ve documented and understood that form the outset the issues and given your fledgling information security management system a fighting chance before it gets off the ground.
Who is responsible?
Responsibility for Understanding The Organisation And Its Context lies with Senior Management and the doing will be delegated to the information security manager.