Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

Expert Advice Community

Guest

Issues

  Quote
Guest
Guest user Created:   Jan 13, 2016 Last commented:   Jan 13, 2016

Issues

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
AntonioS Jan 13, 2016

According to the article "Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)" : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/, the issues are determined during the RA process and hence there is no need to perform any additional steps to identify the internal / external issues. However, my doubt here is that at this stage (4.1) we are still in the process of determining the scope and the RA (6.1) is at a later stage. So ideally, these 'issues' that we determine at 4.1 should come from a brainstorming session or discussion with relevant stake holders. Please correct me if I have misunderstood something here.

2.- My second and main doubt is while determining these 'issues', do we also need to consider issues that could affect the ISMS in a positive way? As per my understanding, an 'issue' is something that could prevent my ISMS from achieving its intended outcome (its objectives). However, it was pointed out by an auditor that while determining  th e ‘issues’ while considering clause 4.1, we should also consider factors that could influence the ISMS in a positive way. For example, an issue identified was lack of management commitment (this could lead to difficulty in achieving the ISMS objectives). The auditor mentioned that should also consider something “Strong management commitment” as this could influence the outcome of the ISMS in a positive way (i.e. help the ISMS achieve its objective). I wanted to know if this is necessary or if defining ‘issues’ the way I have determined it so far (as something that could prevent the ISMS from achieving its outcome) is sufficient to meet the requirement of 4.1
 

Answers:

Point 1: Yes, you are right, internal and external issues will be mostly discovered during the risk assessment process, but remember that also identifying interested parties. On the other hand, it is not necessary to identify issues related to the RA at the beginning of the implementation (can wait), but you can consider, as a best practice, a brainstorming session or discussion with relevant stake-holders, and after redefine issues during the RA if necessary. 
Point 2: From my point of view, it is not necessary to identify issues that could affect the ISMS in a positive way, with issues identified during the RA process, and by identifying interested parties, can be enough. Anyway, can be a best practice to consider issues that could affect the ISMS in a positive way (for example related to “Strong management commitment”), and also can be a best practice to perform the SWOT analysis (Strengths-Weaknesses-Opportunities-Threats), and PEST analysis (Political-Economical-Social-Technological impacts).  
Finally, maybe this article related to security objectives can be interesting for you “ISO 27001 control objectives – Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016