Organizational context and Risk Assessment Report

Answer: Clauses 8.2 and 8.3 from the standard require you to document the results of the risk assessment - they don't specifically require the "Report", but some kind of document that shows what risks were assessed and treated at a particular date, and excel sheets or tools used on operational activities are not very good for this purpose because they are intended to be changed any time to included changes in the risk environment.

Besides that, you also provide a document to top management where you can present the risk assessment methodology and compile, highlight and present the main risks and treatments in a forma t they are used to read (executive summary, main findings, recommendations, etc.).

In the video tutorials that came with your toolkit, you can see examples of how to fill out all the Risk assessment and Risk treatment Report.

2 - For the part “Understanding the organization” there is something called “Internal and external issues”. I think I understand but I am not sure. Can you please give me some examples of internal and external issues?

Answer: Examples of internal issues are organizational culture, assets, methodologies and policies. External issues examples are new technologies, geographical location, market conditions, and
government's laws.

This article will provide you further explanation about internal and external issues:
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/