When it was revised back in 2013, ISO 27001 adopted the Annex SL format, a generic framework for ISO standards that uses several identical sections of wording and a lot of similar terminology.
One of the core Annex SL clauses is clause 4, which concerns the context of the organisation. It's an important part of the standard, and it requires you to consider the internal and external issues that can impact on your strategic objectives and how you plan your information security management system (ISMS).
Your organisation should focus particularly on factors and conditions that can affect your products, services, investments and on your interested parties. Context becomes an important consideration and helps to ensure that your ISMS is designed and adapted for your organisation rather than taking a 'one size fits all' approach.
Determining the context (step by step)
There's no prescribed method for determining the context of your organisation in relation to ISO 27001, but you could take this simple and pragmatic four-step approach:
- Identify the internal issues that can affect your organisation's products, services, investments and interested parties.
- Identify the external issues that can affect your organisation's products, services, investments and interested parties.
- Identify who are the interested parties and what are their requirements.
- Regularly review and monitor those internal issues, external issues and interested parties you have identified.
1 – Internal issues
Your organisation's internal context is the environment in which you aim to achieve your objectives. Internal context can include your approach to governance, your contractual relationships with customers, and your interested parties.
Internal issues can include your:
- regulatory requirements
- strategies to conform to your policies and achieve your objectives
- relationship with your staff and stakeholders, including partners and suppliers
- resources and knowledge (e.g. capital, people, processes and technologies)
- risk appetite
- product or service
- standards, guidelines and models adopted by the organisation
- information systems
2 – External issues
To understand your external context, consider issues that arise from your social, technological, environmental, ethical, political, legal and economic environment.
External issues may include:
- government regulations and changes in the law
- economic shifts in your market
- your competition
- events that may affect your corporate image
- changes in technology
3 – Interested parties
Your interested parties include your customers, partners, employees and suppliers. When developing your ISMS, you only need to consider interested parties that can affect your:
- ability to consistently provide a product or service that meets your customers' needs and any statutory requirements and regulations
- continual improvement process
- ability to enhance customer satisfaction through effectively applying your system
- your process for ensuring you conform to your customers' requirements and any statutes or regulations that apply
4 – Regular reviews and monitoring
You must regularly review and monitor those internal or external issues you've identified. Understanding your internal context means your management can carry out a 'PEST' (political, economic, social and technological) analysis to determine which factors will affect how you operate.
While you have no control over external issues, you can adapt to them. PEST factors can be classified as 'risks' and 'opportunities' in a SWOT (strengths, weaknesses, opportunities, threats) analysis or other alternative methods.