Understanding the organization and its context
1. Can you provide any guidance or clarity on defining Clause 4.1 of ISO 27001, determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system?
2. Also, where is this typically documented?
Assign topic to the user
1. Can you provide any guidance or clarity on defining Clause 4.1 of ISO 27001, determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system?
Examples of external issues are: geographical location, public infrastructure available, political, economic, social and technological trends, etc.
Examples of interested parties: clients, suppliers, top management, and employees, etc.
Examples of internal issues are: organizational culture, processes, and procedures, equipment, financial resources, etc.
This article can help you:
- How to define context of the organization according to ISO 27001” https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
2. Also, where is this typically documented?
ISO 27001 does not require documenting the context of the organization, and this is especially not recommended for smaller organizations - you only need to take into the context of the organization when defining the scope and doing the risk assessment.
Comment as guest or Sign in
Jun 18, 2020