In this article I lay bare how to write, deploy and implement an ISO 27001 Organisation Overview. A beginners guide, exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification. We show you exactly what changed in the ISO 27001:2022 update. I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Organisation Overview.
Table of contents
- What is the ISO 27001 Organisation Overview?
- Every journey starts with a first step
- ISO 27001 Organisation Overview Template Walkthrough
- What an ISO 27001 Organisation Overview contains
- Why it contains these points
- How to create and use an ISO 27001 Organisation Overview
- ISO 27001 Organisation Overview Frequently Asked Questions
What is the ISO 27001 Organisation Overview?
The Organisation Overview collates all the information about your organisation that could and does inform and influence the information security management system.
It is information that you know and brings it together into a hand document to share with auditors and third parties to bring them up to speed on who you are quickly. We document an overview of who we and at the same time we define the ISO 27001 Context of Organisation requirements.
It will save you time in the long run and is easy to create and record.
How does it work?
ISO 27001 is an information security management system for your organisation. As it is designed for your organisation you are going to want to tailor certain aspects of it to your needs.
When it comes to the certification audit the auditor is going to want to look at the connection between who you are and the ISMS you have deployed.
DO IT YOURSELF
ISO 27001
ISO 27001 Organisation Overview Template
Every journey starts with a first step
The first step on the journey is to understand who you are. This is the easiest of all the steps. You certainly know who you are. For the purposes of the ISO 27001 certification you are going to want to write that down. The benefits of writing it down are
- It will meet the needs of the standard
- It will set a common vision and answer to who you are
- You can share with staff, new employees and those new to the organisation
ISO 27001 Organisation Overview Template Walkthrough
What an ISO 27001 Organisation Overview contains
The organisation overview is going to cover
About us
A brief textual overview of who you are. Often people take this from their marketing materials or about us page on their website. Keep it high level but include enough information so someone that does not know you can quickly understand about you.
Your Products and Services
A list of your products and services as your customer would know them. A comprehensive list of what it is that you sell and / or provide to customers.
Your Locations
A list of the locations both real and virtual that company uses. Include as much details as you can from addresses if known to regions or countries for cloud services.
Your Mission Statement
What your companies mission is. If you have one and you know it.
Your Values
The values of the company.
Your Business Objectives
What is the business hoping to achieve over the next 12 months and the long term.
Why it contains these points
Each of the points above can directly influence and impact aspects of the information security management system and how you go about managing risks and controls.
How to create and use an ISO 27001 Organisation Overview
In this short ISO 27001 Organisation Overview tutorial we show you how you can do it yourself with step by step instructions.
ISO 27001 Organisation Overview Frequently Asked Questions
It is a document that describes who you are. You use the Organisation Overview to explain to auditors, clients and employees who you are, what your business objectives are, what your values are. It allows you to show, and to make, a connection to the implementation of the information security management system based on who you are.
Yes. And no. You need to be able to show the connection between who you are and why the information security management system is built and implemented the way it is. The information is straightforward and you may have it in other locations. This is fine. It is just easier all round to collate that information into one document and one place to smooth the process of audits.
The easiest format to record it in is Microsoft Word document. Any word processing package will do.
In reality it used as part of the audit process to demonstrate the connection between who you are and the information security management system you have deployed.
You can get a downloadable Organisation Overview Template at High Table the ISO 27001 Company.
It contains information about you. It will include an overview of who you are, what you do, what your business objectives are, what your values are. All information that you already know. As it is all about you.
Organisation Overview is covered in ISO 27001:2022 Clause 4.1 Understanding The Organisation And Its Context