:: InfoSec Study Notes : Scribbling on ISO/IEC 27001:2013 Standard Part-2::
Context of the OrganizationThe organization needs to identify the Internal and external issues that can affect the expected outcome. Hence context becomes an important consideration and helps to ensure that the ISMS is designed and adapted for your organization.
-External Issues-external to the organizationExternal issues may include:
government regulations and changes in the law, Political conditions
economic shifts in your market
Partner,Vendors and competitor.
events that may affect your corporate image
Trends and changes in technology
-Internal issues-within the organization and under direct control of the organization.Internal issues can include :
regulatory requirements for the organization
strategies to conform to your policies and achieve your objectives
relationship with your staff and stakeholders, including partners and suppliers
resources and knowledge including people, processes, budget, technology etc.
product or service
standards, guidelines and models adopted by the organization
-Interested parties and their needs and expectations.-client, end-users, employees, partners, suppliers etc.When developing your ISMS, consider interested parties that can affect the organizations':
-ability to consistently provide a product or service that meets your customers' needs and any statutory requirements and regulations
-ability to enhance customer satisfaction and standards/regulations.
-Document Everything.For internal issues, document the relevant ones as part of the organization's information security objectives and results of the risk assessment, and maintain records of the competence of your employees.
For external issues, it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements;.
Scope of ISMS-The scope should be documented.
-Scope means where are you going to plan/implement the ISMS and what you are trying to protect. This document clearly define the boundaries of the Information Security Management System (ISMS).
-The organization should define the scope of its ISMS in relation to its business needs, the structure of the organization, its location, its information assets and its technologies.