Expert Advice Community

Guest

Clause 4.1 internal and external issues

  Quote
Guest
Guest user Created:   Aug 04, 2020 Last commented:   Aug 07, 2020

Clause 4.1 internal and external issues

We have a question for you on 4.; what is the best way to address this requirement, should we add this verbiage to our 05 risk assessment and risk treatment methodology document (like below) or should we create a separate table and/or document where we list action, who is responsible, timeframe for the items noted below.  My original thought was to include these items in our risk assessment process but would be interested in your thoughts, thanks.

3.6 Organization and Context

The head of EOM Security and Compliance will be responsible for identifying any internal or external issues that could affect the intended outcome of the ISMS.  Internal issues such as resources, training, data storage, organizational roles, tools, EOM software, system processes need to be captured and added to the Risk Assessment Table.  External issues such as cloud providers, customers, the economy, technology, legislation, the environment, all need to be reviewed and added to the Risk Assessment Table if necessary.

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 04, 2020

Please note that ISO 27001 does not require documenting the context of the organization (clause 4.1) and this is especially not recommended for smaller organizations - you only need to take into the context of the organization when defining the scope and doing the risk assessment. You can read more here: Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/01academy/emy/ademy/my/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

In case your organization decides to document the organizational context, I would recommend that you keep this information separate from other documents because otherwise, you might need to update these too often. For this, you can use the blank template that is included in your toolkit.

Quote
0 0
Expert
Rhand Leal Aug 07, 2020

We received this question:

Thanks Rhand, for our readiness assessment the external auditors issued a finding that we did not explicitly define a policy/procedure describing the context of the organization,  they went on further to say we should determine if any internal and external issues would impact the intended outcome of the ISMS.

You guys are saying we do not need to document the context of the organization but we should have a procedure to check internal and external issues.

What I am going to do is add internal and external issues to our yearly compliance check with a step to ensure we determine whether any of these issues impact the intended outcome of the ISMS. Do you think this is sufficient?

Answer: Regarding your proposed solution, adding an internal and external issues to your yearly compliance check would be sufficient to meet standards requirements.

Please note that it is not a matter that "You guys are saying we do not need to document the context of the organization...", but that the ISO 27001 standard itself does not require such documentation. Considering the standard, the issue raised by the external auditors is at most an opportunity for improvement (not a nonconformity).

 As a suggestion, you should politely ask your external auditors for clarification about which clause part of the standard requires a policy/procedure describing the context of the organization.

For further information, see: Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/01academy/emy/ademy/my/blog/15/01/12/explanation-of-the-basic-terminology-in-iso-standards/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 04, 2020

Aug 07, 2020