The first clause of the ISO27001 Information Security Management System (ISMS) requirements mandates that the organization identifies its context, including internal and external issues relevant to the system. But what does this mean? How can we identify this? Who needs to be involved? And finally, what are the outputs.
Simply put, identifying the organization and its context consists of understanding both internal and external context with regards to the purpose of the system. Internal context may consist of the company’s missions, core values, vision, objectives, direction, organisation and contractual obligations. Before a system can be set up, you must be able to identify how this system ties in with the organizations overall goals, how it can support these goals and what other internal factors are in place that may affect the system.
Internal and External factors should be considered alongside the wider business strategy
External context may consist of legal, social, political, financial, economic, environmental and external stakeholder factors. All of these can have an impact on what the system needs to achieve and why it needs to do this. For example, an expectation from an external client that their data shall be secured at all times and that they require constant assurance that this is the case may result in the ISMS being set up to satisfy these requirements.
Similarly, legal or regulatory pressures e.g. Data Protection Act requirements may be the main driver behind setting up the ISMS. It is evident that organizations providing a service to clients are often serving the interests of externals in order to maintain client relationships etc, however, there can additionally be internal drivers.
What are the outputs of this exercise? Well, by the end of this your organisation should have an idea of how the system aligns with the organisations key objectives, how it can support with business objectives, what internal/external factors are driving the system and what the requirements of the system are. With this understanding, the system can be established with clear goals and objectives in mind.
While it is not a requirement to document the outputs of this, it is advisable. An ISMS policy can be used as a reference to why we have established the system, what we are trying to achieve and what the system should be doing. Understanding the context of the organization is a vital pre-cursor to this, and without this understanding the ISMS will not be successful in the long run.
By documenting the context of the organization and ensuring management are aligned with this understanding, the system can be set up in line with the companies core objectives. Furthermore, as the organizations goals change the system can adapt to suit these requirements so documenting and maintaining versions of this is also recommended.