Info Sharing Blog

Thursday, July 26, 2018

Part 2-InfoSec Scribbling : ISO/IEC 27001:2013

July 26, 2018 Posted by jaacostan , ,
:: InfoSec Study Notes : Scribbling on ISO/IEC 27001:2013 Standard Part-2:: 

Context of the Organization

The organization needs to identify the Internal and external issues that can affect the expected outcome. Hence context becomes an important consideration and helps to ensure that the ISMS is designed and adapted for your organization.

-External Issues-external to the organization

    External issues may include:
    government regulations and changes in the law, Political conditions
    economic shifts in your market
    Partner,Vendors and competitor.
    events that may affect your corporate image
    Trends and changes in technology

-Internal issues-within the organization and under direct control of the organization.

    Internal issues can include :
    regulatory requirements for the organization
    strategies to conform to your policies and achieve your objectives
    relationship with your staff and stakeholders, including partners and suppliers
    resources and knowledge including people, processes, budget, technology etc.
    assets
    product or service
    standards, guidelines and models adopted by the organization

-Interested parties and their needs and expectations.-client, end-users, employees, partners, suppliers etc.

 When developing your ISMS, consider interested parties that can affect the organizations':
 -ability to consistently provide a product or service that meets your customers' needs and any statutory requirements and regulations
-ability to enhance customer satisfaction and standards/regulations.

-Document Everything.

For internal issues, document the relevant ones as part of the organization's information security objectives and results of the risk assessment, and maintain records of the competence of your employees.
For external issues, it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements;.

Scope of ISMS

-The scope should be documented.
-Scope means where are you going to plan/implement the ISMS and what you are trying to protect. This document clearly define the boundaries of the Information Security Management System (ISMS).
-The organization should define the scope of its ISMS in relation to its business needs, the structure of the organization, its location, its information assets and its technologies.