The organization shall determine external and internal issues that are relevant to its purpose and that
affect its ability to achieve the intended outcome(s) of its information security management system.
Workshop to determine external and internal issues that are relevant to its purpose and that
affect its ability to achieve the intended outcome(s) of its information security management system.
In a workshop, create a document that will evaluate following items and determine how each and every item can affect the organizations ability to achieve the intended outcome of its the ISMS. Remember that items that affect finance can easily affect information security.
Context
Why are we seeking ISO27001 certification?
- Win new business and sharpen your competitive edge
- Avoid the financial penalties and losses associated with data breaches
- Protect and enhance your reputation
- Comply with business, legal, contractual and regulatory requirements
- Improve structure and focus
- Reduce the need for frequent audits
- Obtain an independent opinion about your security posture
What are the benefits?
- Secures your information in all forms
- Increase your attack resilience
- Reduce information security costs
- Respond to evolving security threats
- Improve company culture
- Offers organization-wide protection
- Provides a central framework
- Protects confidentiality of data
What are the internal issues?
- Identify internal issues that may help or hinder the ability to build an effective management system
- Technical issues/challenges
- Recourse issues (equipment, knowledge, finance, time, staff)
- Knowledge issues
- Threats
- Risks
- Opportunities
- Expectations
- Demands
What are the external issues?
- Identify external issues that may help or hinder the ability to build an effective management system
- Market demand
- Customer expectations
- Image of the organization
- External risks
- External threats
- Job market
- Competition
- Environment
- Stability
- Access to knowledge
When designing the framework for managing risk, the organization should examine and understand its external and internal context.
Examining the organization’s external context may include, but is not limited to:
- the social, cultural, political, legal, regulatory, financial, technological, economic and environmental factors, whether international, national, regional or local;
- key drivers and trends affecting the objectives of the organization;
- external stakeholders’ relationships, perceptions, values, needs and expectations;
- contractual relationships and commitments;
- the complexity of networks and dependencies.
Examining the organization’s internal context may include, but is not limited to:
- vision, mission and values;
- governance, organizational structure, roles and accountabilities;
- strategy, objectives and policies;
- the organization’s culture;
- standards, guidelines and models adopted by the organization;
- capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual property, processes, systems and technologies);
- data, information systems and information flows;
- relationships with internal stakeholders, taking into account their perceptions and values;
- contractual relationships and commitments;
- inter-dependencies and inter-connections.