There are a few clauses in the ISO27001 Information Security management Systems Standard that can cause people a little trepidation or confusion, clause 4.1 – Context of the Organisation tends to be one of those. The thing is however, once you get what they are looking for here it is a really helpful thing for your organisation.

Clause 4.1 Understanding the Organisation & it's Context ​ 

The ISO27001 Clause 4.1 (understanding the organisation and it's context) states: The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its information security management system.

So, lets translate that into nice plain English. What they are basically saying here is that as an organisation, you need to understand what issues / risks could impact your business & ISMS both from inside and outside of the organisation. To ensure you get a rounded view on things you need to look at them in both a positive and a negative way, we are hard-wired to easily find the negatives of things so it may take a little time to flip the switch to look for positives.

Let's be clear about what we mean by "understanding", I mean you need to be able to know about them, explain them, assess them in terms of what the impact is and how big it is, ideally figure out a way of mitigating or preventing that risk impacting the organisation from an Information Security stand point. While the standard doesn't actually say you need to keep checking these things over time (the iSO9001:2015 does say this explicitly) it is a good thing to actually keep checking on them to see understand if anything has changed over time that would change your thinking on them. When it comes to information life moves pretty quickly!

So, What Are the Issues to Consider?

Given that ISO27001:2013 is about your Information Security management system you do need to focus both internally and externally when it comes to understanding the context of your organisation:

• Internal
  • Think about how people interact with your systems and processes as they currently are, what are the behaviours that exist that would impact your new ISMS?
  • What are the objectives of your Information Security management system and how will it support the organisation?
  • What, if anything in how you manage information security could impact the growth and development of the organisation or put it at risk e.g. you don't patch your servers until the end of year shut down (hint.. this is a very bad practice)
  • Who knows that stuff that you don't have documented but really should?
  • How do you control secure information?
  • Is there proper governance within the company
• External Factors:
  • What things could impact the customer experience or satisfaction,
  • is there anything linked to your Information Security management system that would impact your ability to deliver product & services that meet the requirements of your customers or regulatory bodies,
  • what are the market conditions?
  • the technology changes and so on.

What next?  

Once you get a handle on these things, and your eyes are open to the wider view from a business point of view there are some next steps you should be taking.

There are a couple of great tools that you can use here, one tool which is really good is called PESTLE Analyses and it's a great way of really understanding the external influences on your business. You can check out an example here: 

PESTLE is an acronym and is designed to help you look at the key area's that will impact your organisation externally around the following areas

• Political
• Economic
• Social / Cultural
• Technological
• Legal
• Ecological

By walking through each of these topics you can then identify area of impact into your organisation that could have an influence on how you run your organisation and what impacts it could have on your Information Security Management System.

The other one is the good old trusty SWOT Analysis where you will look at your organisations Strengths, Weaknesses, Opportunities and Threats both internally & externally to the business. It is usually helpful to do 1 SWOT for internal factors and 1 SWOT for external factors then you can combine, if you want, but I prefer to keep them separate. It is Ok if similar or the same items appear on internal & external SWOT analysis documents. this is 

Of course you also need to think about the structure and hierarchy of your organisation and the influence that may have on your ISO27001 Information Security management System, who reports to who, who needs access to what, why and so forth. The best place to do this is the good old org chart.

Reviews 

Finally, although the standard doesn't explicitly say your need to review these things on a regular basis lets face it, you'd be a bit mad not to really wouldn't you. When it comes to say an ISO9001:2015 certification annually may well be enough. Fort ISO27001 Information Security management I personally don't think annually is enough, I think it should be 6 monthly at most but that's just me. I'd also do it in small bite size chunks, a little at a time every moth with a view to trying to look at the whole section within 6 months and have a final discussion at a management meeting