The importance of understanding the organizational context for ISO 27001
The organizational context includes external and internal issues relevant to the Information Security Management System (ISMS). Besides being a requirement of the standard (clause 4.1), being aware of the organizational context can give an organization a clearer view of the most relevant issues (either positive or negative) for information security, allowing it to properly define the ISMS purpose, devise strategies, and allocate its resources where they will bring better results.
Examples of internal and external issues to be considered
According to ISO 31000 clause 5.3.1, two types of issues should be considered:
- Internal issues: factors under the direct control of the organization
- External issues: factors an organization has no control over, but that it can anticipate and adapt to
Examples of internal issues are:
- Organizational structure: Knowing the roles, accountabilities, and hierarchy in the organization will help define where to position the ISMS.
- Organizational drivers: The organization’s values, mission, and vision, expressed in its internal culture, policies, objectives, and strategies, can help define its information security policies, objectives, and strategies. It is important to note that these factors are greatly affected by employees and other people working in the organization. Their perceptions and opinions should also be considered.
- The way the organization does things: Knowing how processes work (both isolated and interconnected), how information flows, and how decisions are made will make it easier to integrate information security processes and controls with business operations and management activities.
- Available resources: Knowing what equipment, technologies, systems, capital, time, personnel, and knowledge you already have in your organization can help you guide your acquisitions, as well as the development not only of solutions, but also the competencies required to keep information secure.
- Contractual relationships: Understanding the relationships with suppliers and customers can allow an organization to include, in the scope of its ISMS, controls needed to better manage the customers and suppliers’ requirements.
The identification of internal issues will help you comply with the standard’s requirements, such as the alignment of the ISMS with business strategies (clause 5.1.a) and determination of roles and responsibilities (clause 5.3), resources (clause 7.1), and capabilities (clause 7.2).
Here are some examples of external issues:
- Market and customers trends: The increase in the adoption of cloud services is a good example of a trend that should be considered for an ISMS.
- Perceptions and values of external interested parties: Relationships with external parties are not limited to contracts. They have their own cultures that should be considered, as well as the beliefs of the people who work with them.
- Applicable laws and regulations: A good example is all of the work performed by organizations to comply with the EU GDPR, which came into force in May 2018.
- Political and economic conditions: Elections, when public policy trends may change, and changes in local currency exchange rates, should be monitored.
- Technological trends and innovations: Breakthrough technologies or innovations may render security controls useless or provide new ways to protect information.
By the way, external issues will also help you to comply with clause 4.2 Understanding the needs and expectations of interested parties.
ISO 31000 just provides examples to be considered. If you want to make a structured analysis, for internal issues you may use the 7S Framework – which includes the assessment of: Strategy, Structure, Systems, Shared Values, Skills, Style, and Staff.
For a structured analysis of external issues, you may try the PEST analysis, which identifies Political, Economic, Social, and Technological issues in your company’s environment.
How to document those issues ?
ISO 27001 does not require companies to document context of the organization through a separate document – only certain elements of internal and external issues need to be documented.
For internal issues, you must document the relevant ones as part of your information security objectives and results of the risk assessment, and maintain records of the competence of your employees.
For external issues, because of control A.18.1.1, it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements; this list can help you with information security laws and regulations.
It is not mandatory to document your PEST analysis or 7S Framework analysis, but larger companies would normally create such documents when reviewing their business strategy; smaller companies usually do not have them, but I’m sure most of the business owners/CEOs consider all these issues when they are figuring out how to compete in the market. So, if you work for a larger company, simply ask your corporate office to provide you with these documents; in smaller companies, make sure you talk to your CEO.
Know your context to provide effective protection
By understanding the organizational context well, you can implement a robust ISMS that will cover the needs and expectations of the organization, customers, and other interested parties, and ensure that it will handle the most relevant risks, minimizing the occurrence and impact of incidents and increasing the use of opportunities.
ISO 31000 provides some guidance on which issues should be considered, and by applying this to the implementation of ISO 27001, an organization can implement an ISMS that not only will comply with the standard, but that will also add value to the business.