Understanding the Organisation & its Context for ISO 27001 Requirement 4.1
What does ISO 27001 Section 4.1 cover?
Section 4.1 of the ISO 27001 requirements is about understanding the organisation and its context. You will be defining the organisations purpose and will be required to identify any relevant internal and external issues the organisation faces. These issues are mainly concerned with those which could affect that organisation’s ‘ability to achieve the intended outcome/s of its information security management system.’
What are the internal and external issues facing an organisation?
In the guidance video contained within our ISMS.online ISO 27001 Virtual Coach programme, we discuss how to identify these by considering the following key areas:
Internal issues affecting an information security management system
- Do you hold customer or employee data, financial information or product designs?
- Staff wellbeing and fitness to deliver the role. Do they have the right tools for the job, and do new hires have help understanding your business?
- Are you safeguarding your company assets? Do you have good relationships with your suppliers and partners and continue to monitor that relationship?
Products/services and processes
- Are you able to maintain the Confidentiality, Integrity and Availability (CIA) principle? Have you ensured Privacy by Design?
- Do you have manual and digital systems to maintain that hold information and other assets?
External issues affecting an information security management system using the PESTLE method
- Have elections and new laws caused uncertainties in your industry?
- Do austerity measures and interest rates have an impact on how much your customers feel like they can spend with you?
- Increased use of social media and cyber complacency could be leading to higher chances of information loss and potential breaches.
- Could frequent updates of technology put a strain on your organisation?
- How much of an impact will new regulations like GDPR have on your business? Have you considered applicable legislation in a risk bank?
- Are you needing to reduce your environmental impact by using more public transport or going paperless in the office?
ISMS.online comes with a template policy for Sect. 4.1
and, if you choose the optional Virtual Coach,
you’ll even have template examples of internal and external issues that you can populate it with.
Discover how you can save time & reduce management resource using ISMS.online to achieve & maintain your ISO 27001 ISMS
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication (read 7.1 – 7.4 here)
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- (read 9.1 – 9.3 here)
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement (read 10.1 – 10.2 here)
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001