Clause 4.1 internal and external issues
We have a question for you on 4.; what is the best way to address this requirement, should we add this verbiage to our 05 risk assessment and risk treatment methodology document (like below) or should we create a separate table and/or document where we list action, who is responsible, timeframe for the items noted below. My original thought was to include these items in our risk assessment process but would be interested in your thoughts, thanks.
3.6 Organization and Context
The head of EOM Security and Compliance will be responsible for identifying any internal or external issues that could affect the intended outcome of the ISMS. Internal issues such as resources, training, data storage, organizational roles, tools, EOM software, system processes need to be captured and added to the Risk Assessment Table. External issues such as cloud providers, customers, the economy, technology, legislation, the environment, all need to be reviewed and added to the Risk Assessment Table if necessary.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that ISO 27001 does not require documenting the context of the organization (clause 4.1) and this is especially not recommended for smaller organizations - you only need to take into the context of the organization when defining the scope and doing the risk assessment. You can read more here: Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
In case your organization decides to document the organizational context, I would recommend that you keep this information separate from other documents because otherwise, you might need to update these too often. For this, you can use the blank template that is included in your toolkit.
We received this question:
Thanks Rhand, for our readiness assessment the external auditors issued a finding that we did not explicitly define a policy/procedure describing the context of the organization, they went on further to say we should determine if any internal and external issues would impact the intended outcome of the ISMS.
You guys are saying we do not need to document the context of the organization but we should have a procedure to check internal and external issues.
What I am going to do is add internal and external issues to our yearly compliance check with a step to ensure we determine whether any of these issues impact the intended outcome of the ISMS. Do you think this is sufficient?
Answer: Regarding your proposed solution, adding an internal and external issues to your yearly compliance check would be sufficient to meet standards requirements.
Please note that it is not a matter that "You guys are saying we do not need to document the context of the organization...", but that the ISO 27001 standard itself does not require such documentation. Considering the standard, the issue raised by the external auditors is at most an opportunity for improvement (not a nonconformity).
As a suggestion, you should politely ask your external auditors for clarification about which clause part of the standard requires a policy/procedure describing the context of the organization.
For further information, see: Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/
Comment as guest or Sign in
Aug 07, 2020