4 Context                               

• 4.1 The organization and its context
• 4.2 Needs and expectations of interested parties
• 4.3 Scope of the ISMS
• 4.4 ISMS

4.1 The organization and its context

External and internal issues that can influence the ISMS

Requirement 1 (see also the quiz)

The two most important things in a company do not appear in its balance sheet: its reputation and its people. Henry Ford

Integrating ISMS requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) into business processes ensures that interested parties (i.e. customers) control the risks associated with information security. Adopting these requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) is a strategic top management decision.

To successfully implement an information security management system, it is necessary to understand and assess everything that can influence the purpose and performance of the organizationa structure that satisfies a need (see also ISO 9000, 3.3.1). An example of determining the issues is given in sub-clause 5.4.1 of ISO 31000. It is advisable to engage in in-depth reflection after a few essential activities:

• draw up an in-depth diagnosis of the unique context in which the organization finds itself, taking into account the issues:
  • external, such as the environment:
    • social
    • regulatory
    • economical
    • political
    • technological
    • natural
  • internal, such as:
    • specific aspects of corporate culture:
      • vision
      • reason to exist, purpose and mission
      • core values
    • staff
    • products and services
    • processes, policies, procedures, instructions, objectives
    • infrastructure
• monitor and review regularly all information relating to external and internal issues
• analyze the factors that may influence the achievement of the organization's objectives

Each issue is identified by its level of influence and control. Priority is given to issues that are very influential and not at all under control. External and internal issues, cf. D 10v22. 

PESTEL and SWOT analyses (our strengths and weaknesses, opportunities and threats) can be useful for a relevant analysis of the context of the organization (see annex 05). A SWOT analysis helps to understand our business environment. It also allows us to identify internal and external problems, which could have an impact on information security. 

Minute of relaxation. Game: Context of the company

• diagnosis of the context includes the main external and internal issues
• the core values as part of the corporate culture are taken into account in the context of the company
• the results of the context analysis are widely diffused
• the SWOT analysis includes many relevant examples
• the SWOT analysis is a powerful tool for identifying the main threats and opportunities

• the issues of the context of the company, such as the competitive environment, are not taken into account
• in some cases, the corporate culture is not taken into account
• risk analysis does not take into account strategic issues
• no clear link between the SWOT analysis and the actions undertaken
• the scope of the ISMS procedure is classified as confidential

Top of the page

4.2 Needs and expectations of interested parties

Understand the requirements of interested parties

Requirements 2 to 4

There is only one valid definition of a business purpose: to create a customer. Peter Drucker

To understand the needs and expectations of interested parties, we must begin by determining those who may be affected by the information security management system, for example:

• employees
• top management
• customers
• external providers (suppliers, subcontractors, consultants)
• owners
• shareholders
• bankers
• distributors
• competitors
• citizens
• neighbors
• social and political organizations

The list of interested parties is created by a multidisciplinary team. Every interested party is determind by its level of influence and control. Priority is given to interested parties with great influence and poor control. List of interested parties., cf. D 10v22. 

The requirements of interested parties, which change over time, are reviewed regularly (see the Maintain regulatory watch process).  

Anticipating the reasonable and relevant needs and expectations of interested parties involves:

• meeting the requirements of the product or service offered
• preparing to address risks
• seizing improvement opportunities

When a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) is accepted, it becomes an internal requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the ISMS.

• the list of interested parties is updated
• the needs and expectations of interested parties are established through meetings on-site, surveys, roundtables and meetings (monthly or frequent)
• the application of statutory and regulatory requirements is a prevention approach and not a constraint

• statutory and regulatory requirements are not taken into account
• the delivery time is not validated by the customer
• the expectations of interested parties are not determined
• the list of interested parties does not contain their area of activity

Top of the page

4.3 Scope of the ISMS

Define the scope of the ISMS

Requirements 5 to 9

In many areas, the winner is the one who is best informed. André Muller

The scope (or in other words, the perimeter) of the information security management system is defined and validated by top management.

The Statement of Applicability - SoA (cf. sub-clause 6.1.3 and annex 07) allows us to: 

• determine what is or is not part of the ISMS
• identify and update the controls to be applied
• answer the questions for each control:
  • what needs to be done?
  • why?
  • how?
  • what is its status?
• plan and audit the ISMS

Each control of the statement of applicability is directly linked to the treatment of a risk.

To properly determine the scope of the ISMS, the specificities of the context of the organizationa structure that satisfies a need (see also ISO 9000, 3.3.1) are taken into account such as:

• the issues (see sub-clause 4.1)
• the activities of the organization, including support
• corporate culture
• the environment:
  • social
  • financial
  • technological
  • economical
• the requirements of the interested parties (see sub-clause 4.2)
• outsourced processes

The Scope of the ISMS is available as documented information, cf. D 10v22. It includes the scope (limits and interfaces):

• of the organization:
  • products
  • services
• information and communication:
  • software design and development
  • maintenance
• physical:
  • head office
  • subsidiaries

• the scope is relevant and available upon request
• non applicable requirements are justified in writing
• a department not included in the scope is treated as a supplier with all the consequences (contract, confidentiality agreement, performance monitoring)

• some products are outside the scope of the ISMS without justification
• the scope is obsolete (a new subsidiary is not included)
• the scope is not validadted by top management

Top of the page

4.4 ISMS

ISMS requirements, processes and interactions

Requirement 10

The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the ISO 27001 standard are linked to the control of:

• information security and
• organizational processes

To do this:

• the information security management system is:
  • planned (see the Plan the ISMS process, cf. D 10v22.)  
  • established
  • documented (a simple and sufficient documentary system is in place)
  • set up and
  • continually improved
• the information security policy, objectives, resources and working environment are determined
• threats are determined and actions to reduce them are established (see sub-clause 6.1)
• the essential processes necessary for the ISMS are controlled (cf. the process Establish process ownership):  
  • the corresponding resources assured
  • the determined input and output elements
  • the necessary information available
  • the named owners (responsibilities and authorities defined)
  • determined sequences and interactions
  • each process is measured and monitored (criteria established), objectives are established and performance indicators analyzed
  • process performance is evaluated
  • necessary changes are introduced to achieve expected results
  • actions to obtain the continual improvement of processes are established
• the strict minimum necessary ("as much as necessary") of Documented information on the processes is maintained and retained (  )

The information security manual is not a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the ISO 27001 standard, but it is always a possible method to present the organizationa structure that satisfies a need (see also ISO 9000, 3.3.1), its ISMS and its procedures, policies and processes (see annex 08). 

The ISO guide “The integrated use of management system standards” of 2018, contains relevant recommendations on the integration of management systems.

 Pitfalls to avoid:

• going overboard on quality: 
  • a useless operation is performed without adding value and without the customer asking for it - it is a waste, cf. quality tools D 12
• having all procedures written by the quality manager: 
  • information security is everybody's business, "the staff is conscious of the relevance and importance of each to the contribution to information security objectives", which is even more true for department heads and process owners
• forgetting to take into account the specificities related to the corporate culture: 
  • innovation, luxury, secrecy, authoritarian management (Apple)
  •  strong culture related to ecology, action and struggle, while cultivating secrecy (Greenpeace)
  • fun and quirky corporate culture (Michel & Augustin)
  • liberated company, the man is good, love your customer, shared dream (Favi)

The requirements of the ISO 27001 standard are shown in figures 4-1 and the dedicated page:

Figure 4-1. The requirements of the ISO 27001 standard

• the process map has enough arrows to show who the customer (internal or external) is
• for a process, it is better to use a lot of arrows (several customers) rather than to forget one
• reveal the added value of the process during the process review
• the analysis of processes performance is an example of continual improvement evidence of the effectiveness of the ISMS
• top management regularly monitors the objectives and action plans
• the purpose of each process is clearly defined
• the commitments of  top management on continual improvement are widely diffused
• the innovation potential is confirmed by the increase in sales of new products

• some process outputs are not set correctly (customers not considered)
• process efficiency criteria are not established
• the process owners are not formalized
• outsourced processes are not determined
• very real activities are not identified in any process
• control of outsourced services is not described
• sequences and interactions of certain processes are not determined
• criteria and methods for ensuring effective processes are not determined
• monitoring the effectiveness of certain processes is not established
• the ISMS resources do not allow achievement of information security objectives
• the ISMS is not updated (new processes are not determined)
• the threats and weaknesses identified in the SWOT analysis remain without actions

The rest of the T 24v22 ISO 27001 readiness version 2022 training is accessible on this page.

See also the training T 44v22 Internal audit ISO 27001 and the training package ISO 27001.

Top of the page

• Home
• My account
• Site map
• FAQ
• GTU