iFour Consultancy

ISMS Framework: Clause 4 - Context of the organization

Organizational Context - ISMS requirements

 The organizational context for implementing and achieving the intended

outcome of its ISMS includes:
 Organizational Background
 Context of the Operations
 Purpose
 ISO 27001:2013 has classified the organizational context into:
 Clause 4.1: Understanding the organization and its context.
 Clause 4.2: Understanding the needs and expectations of interested parties.
 Clause 4.3: Determining the scope of ISMS.
 Clause 4.4: Information Security Management System.

http://www.ifourtechnolab.com Offshore software development company India

Clause 4.1 Understanding the organization & its context

 Organization should determine the internal and external issues pertaining to the
implementation of ISMS.
 Internal issues can be described in terms of:
 Organizational structure  Processes
 Policies  Internal practices
 People (i.e. Resources)  Products
 Objectives  Capabilities

 Internal & External issues can be identified by:

 SWOT analysis
 Image reference: https://www.fullestop.com/blog/analyze-website-swot-analysis/

http://www.ifourtechnolab.com Offshore software development company India

Clause 4.1 (Continued)

 External issues can be described in terms of: Political

 Market competitors  Differentiators of products
 Trends  Environmental aspects Economic
 Clients  Legal & Regulatory commitments
 Relationship (with  External stakeholders
supplier/vendor/client)
Social

 External issues can be determined by: Technological

 PESTLE analysis
Legal

Environmental

http://www.ifourtechnolab.com Offshore software development company India

Clause 4.1 (Continued)

 The context also refers to Clause 5.3 of ISO 31000:2009 standard for
establishing internal and external context of the organization.
 Clause 5.3 of ISO 31000:2009 explains the establishment of your unique risk
management context. The subsections are:
 Clause 5.3.1: Establish your risk management parameters.
 Clause 5.3.2: Establish your organization's external context.
 Clause 5.3.3: Establish your organization’s internal context.
 Clause 5.3.4: Establish the context of your risk management process.
 Clause 5.3.5: Establish your organization’s risk criteria.

http://www.ifourtechnolab.com Offshore software development company India

 Clause 4.2 Needs and expectations of interested parties

 The organization shall determine:

 Interested parties relevant to ISMS.
 Requirements of these Interested parties relevant to ISMS.
 Interested parties are the stakeholders that influence ISMS operations or they
are the ones who are affected by ISMS activities.
 Interested parties can be any from the following:
 Clients  Suppliers/Vendors
 Govt. agencies/Regulators  Partners
 Employees  Shareholders/Owners
 The requirements of these interested parties includes legal and regulatory
requirements and obligations as mentioned in the contract.

http://www.ifourtechnolab.com Offshore software development company India

Clause 4.2 (Continued)

 Examples of requirements by some of the entities mentioned ahead:

 Shareholders of your company want their investment to be secure and they want to
earn a good return on their investment.
 Image reference: http://www.consilue.com/

 Clients want your company to comply with the security clauses in the contracts your
company signs with them.
 Image reference: http://imgforu.com/login/123?q=39

 Govt. agencies want your company to comply with Information Security laws and
regulations.
 Image reference: http://blog.snobmonkey.com/2015/04/14/why-universities-need-to-get-social/

http://www.ifourtechnolab.com Offshore software development company India

Clause 4.3 Determining the scope of ISMS

 The organization shall determine the boundaries and applicability of the

areas of information security system to establish its scope
 The scope is determined keeping in mind these factors:
 The internal and the external issues referred to in Clause 4.1
 The requirements of interested parties referred to in Clause 4.2
 The interfaces and dependencies between activities performed by the organization, and
those that are performed by other organizations
 The boundary is the term that considers the organization processes in relevance to
information security.
 Image reference: http://www.huntinggpsmaps.com/hunt-map-update-overview

http://www.ifourtechnolab.com Offshore software development company India

Clause 4.3 (Continued)

 An organization should identify the functions that are provided by the

organization itself and also the functions that are provided by external parties
which affect the CIA of information within the scope of ISMS.
 Example:
 A social networking company relies on its internet service provider. If a failure occurs in
providing internet to the social networking site of the company by the internet provider,
then availability of the information is compromised. Hence the internet service should
be considered while determining the scope of ISMS.
 ISO states that the scope of ISMS should be available as documented information

http://www.ifourtechnolab.com Offshore software development company India

Clause 4.4 Information Security Management System

• Establish the ISMS • Implement and

operate the ISMS

Plan Do

Act Check
• Continually • Maintain the
Improve the ISMS ISMS i.e. Monitor
and Review ISMS

http://www.ifourtechnolab.com Offshore software development company India

References
 https://wings2i.wordpress.com/2014/10/09/what-is-context-of-the-
organization-for-iso-270012013/
 http://www.aisgcorp.com/how-to-comply-with-clause-4-1-and-4-2-of-isoiec-
270012013/
 http://www.slideshare.net/ULDQSInc/iso-27001-transition-to-2013-
03202014
 http://advisera.com/27001academy/knowledgebase/explanation-iso-
270012013-clause-4-1-understanding-organization/
 http://advisera.com/27001academy/knowledgebase/how-to-identify-
interested-parties-according-to-iso-27001-and-iso-22301/

http://www.ifourtechnolab.com Offshore software development company India