ISO 27001 4.1 – Understanding the organization and its context

ISO 27001 Section 4.1 – Understanding the organisation and its context

In section 4.1 of the ISO 27001 requirements, it states that an organisation should identify any relevant internal and external issues. These issues would be mainly concerned with those which could affect that organisation’s ‘ability to achieve the intended outcome/s of its information security management system.’


What are the internal and external issues facing an organisation?

In the guidance video contained within our ISO 27001 Virtual Coach programme, we discuss how to identify these by considering the following key areas:

Internal issues affecting an information security management system


  • Information
    • Do you hold customer or employee data, financial information or product designs?
  • People
    • Staff wellbeing and fitness to deliver the role. Do they have the right tools for the job, and do new hires have help understanding your business?
  • Organisation
    • Are you safeguarding your company assets? Do you have good relationships with your suppliers and partners and continue to monitor that relationship?
  • Products/services and processes
    • Are you able to maintain the Confidentiality, Integrity and Availability (CIA) principle? Have you ensured Privacy by Design?
  • Systems
    • Do you have manual and digital systems to maintain that hold information and other assets?

External issues affecting an information security management system using the PESTLE method


  • Political
    • Have elections and new laws caused uncertainties in your industry?
  • Economic
    • Do austerity measures and interest rates have an impact on how much your customers feel like they can spend with you?
  • Sociological
    • Increased use of social media and cyber complacency could be leading to higher chances of information loss and potential breaches.
  • Technological
    • Could frequent updates of technology put a strain on your organisation?
  • Legislative
    • How much of an impact will new regulations like GDPR have on your business? Have you considered applicable legislation in a risk bank?
    • Environmental
      • Are you needing to reduce your environmental impact by using more public transport or going paperless in the office?

ISO 27001 Table of Contents

ISMS Online Rating: 5 out of 5
Share This