ISO 27001 2013 Clause 4 - context of an organization - by Software development company in india

iFour ConsultancyISMS Framework: Clause 4 - Context of the organization

Offshore software development company India http://www.ifourtechnolab.com

1

Organizational Context - ISMS requirementsThe organizational context for implementing and achieving the intended outcome of its ISMS includes:Organizational BackgroundContext of the OperationsPurposeISO 27001:2013 has classified the organizational context into:Clause 4.1: Understanding the organization and its context.Clause 4.2: Understanding the needs and expectations of interested parties.Clause 4.3: Determining the scope of ISMS.Clause 4.4: Information Security Management System.



2

Clause 4.1 Understanding the organization & its context

Organization should determine the internal and external issues pertaining to the implementation of ISMS.Internal issues can be described in terms of:

Internal & External issues can be identified by:SWOT analysisImage reference: https://www.fullestop.com/blog/analyze-website-swot-analysis/

Organizational structureProcessesPoliciesInternal practicesPeople (i.e. Resources)ProductsObjectivesCapabilities



3

External issues can be described in terms of:

External issues can be determined by:PESTLE analysis

Clause 4.1 (Continued)

Market competitorsDifferentiators of productsTrendsEnvironmental aspectsClientsLegal & Regulatory commitmentsRelationship (with supplier/vendor/client)External stakeholders



4

The context also refers to Clause 5.3 of ISO 31000:2009 standard for establishing internal and external context of the organization.Clause 5.3 of ISO 31000:2009 explains the establishment of your unique risk management context. The subsections are:Clause 5.3.1: Establish your risk management parameters.Clause 5.3.2: Establish your organization's external context.Clause 5.3.3: Establish your organizations internal context.Clause 5.3.4: Establish the context of your risk management process.Clause 5.3.5: Establish your organizations risk criteria.Clause 4.1 (Continued)



5

Clause 4.2 Needs and expectations of interested partiesThe organization shall determine:Interested parties relevant to ISMS.Requirements of these Interested parties relevant to ISMS. Interested parties are the stakeholders that influence ISMS operations or they are the ones who are affected by ISMS activities.Interested parties can be any from the following:

The requirements of these interested parties includes legal and regulatory requirements and obligations as mentioned in the contract.

ClientsSuppliers/VendorsGovt. agencies/RegulatorsPartnersEmployeesShareholders/Owners



6

Clause 4.2 (Continued)Examples of requirements by some of the entities mentioned ahead:Shareholders of your company want their investment to be secure and they want to earn a good return on their investment.Image reference: http://www.consilue.com/

Clients want your company to comply with the security clauses in the contracts your company signs with them.Image reference: http://imgforu.com/login/123?q=39

Govt. agencies want your company to comply with Information Security laws and regulations.Image reference: http://blog.snobmonkey.com/2015/04/14/why-universities-need-to-get-social/



7

The organization shall determine the boundaries and applicability of the areas of information security system to establish its scopeThe scope is determined keeping in mind these factors:The internal and the external issues referred to in Clause 4.1The requirements of interested parties referred to in Clause 4.2The interfaces and dependencies between activities performed by the organization, and those that are performed by other organizationsThe boundary is the term that considers the organization processes in relevance to information security.Image reference: http://www.huntinggpsmaps.com/hunt-map-update-overviewClause 4.3 Determining the scope of ISMS


Offshore software development company India http://www.ifourtechnolab.com8

Clause 4.3 (Continued)An organization should identify the functions that are provided by the organization itself and also the functions that are provided by external parties which affect the CIA of information within the scope of ISMS.Example:A social networking company relies on its internet service provider. If a failure occurs in providing internet to the social networking site of the company by the internet provider, then availability of the information is compromised. Hence the internet service should be considered while determining the scope of ISMS.ISO states that the scope of ISMS should be available as documented information



9

Clause 4.4 Information Security Management System



10

Referenceshttps://wings2i.wordpress.com/2014/10/09/what-is-context-of-the-organization-for-iso-270012013/http://www.aisgcorp.com/how-to-comply-with-clause-4-1-and-4-2-of-isoiec-270012013/http://www.slideshare.net/ULDQSInc/iso-27001-transition-to-2013-03202014http://advisera.com/27001academy/knowledgebase/explanation-iso-270012013-clause-4-1-understanding-organization/http://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/



11

ISO 27001 2013 Clause 4 - context of an organization - by Software development company in india

Software

Transcript of ISO 27001 2013 Clause 4 - context of an organization - by Software development company in india