Context of the organization in ISO 27001
Assign topic to the user
Clause 4 (Context of the organization) of ISO 27001:2013 has 4 sub-clauses:
- 4.1 Understanding the organization and its context - this does not need to be documented
- 4.2 Understanding the needs and expectations of interested parties - you need to produce a list of applicable legislation and contractual requirements because of control A.18.1.1
- 4.3 Determining the scope - you must write a scope document
- 4.4 Information security management system - you don't have to write a separate document for this sub-clause
These articles will help you:
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Hello Dejan,
Related to 4.1 Understanding the organization and its context. You say this does not need to be documented; it means that it's not necessary to write anything about this requirement ? Maybe the auditor will search for evidence in order to be compliant with this requirement.
Thanks
Yes, you are right, it is not necessary to have a document for the clause 4.1, but the auditor can request you evidences of implementation. If you want to know the list of mandatory documents of the standard, please see this article "List of mandatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Comment as guest or Sign in
Jan 12, 2016