Understanding the Organization and its Context

00:01

moving on to module to

00:04

during this module will be covering clothes for the context of the organization

00:19

lesson 2.1. Understanding the organization and its context

00:28

in this lesson, we will cover the first clause off the ice. So 27,000 and one standard,

00:33

which is close for organizational context.

00:37

We will cover why this clause is so important and what needs to be produced as an output from the activities. In this clause,

00:44

we will also take a look at some examples off internal and external factors to consider in relation to your organization and what they required or mandatory documentation from this clause is

01:00

so why is this clause important?

01:04

Thirsty?

01:06

Each organization operates within its own unique context.

01:10

It is important for him to understand this context

01:14

so that the ice um s requirements can be tailored to ensure that they support your business objectives

01:19

and the needs and expectations that your business has

01:25

The context of your organization will shape your isom is implementation in terms of the risks controls. Resource is you have available what your scope is and so forth.

01:40

Understanding the internal and external factors affecting the organization

01:44

will also help in shaping a frame of reference.

01:57

So what is it that you need to do for clothes? For

02:00

the main part of this close is understanding your business, what it does, where it's going in terms of strategic objectives

02:08

and then importantly, what is the internal and external factors that need to be considered when you look at the organization?

02:15

The organ context of the organization is something that the auditor, when you are at the stage of having your items audited, will keep coming back. Thio.

02:23

It is also something that you should be keeping in mind throughout your ice Miss Development, implementation and maintenance.

02:31

We will cover this in more detail later in the course, and we address mandatory documents for a nice miss.

02:38

But the context considered for the organization would be included in a document known as the Isthmus Manual or Policy.

02:46

I prefer to use a term manual as opposed to policy, as this avoids confusion with the information security policy off the organization which may already exist.

03:00

So some of the factors that you could document for flaws for

03:05

specifically 4.1

03:07

is understanding the organization its functions holistically.

03:13

This includes understanding the physical operating environment,

03:15

the industry, the organizational structure on what the core activities off the organizational.

03:23

It is also helpful to document the reasons why your organization is undertaking the exercise off becoming ISO 27,001 compliant or certified.

03:35

It might be handy to highlight the expected benefits,

03:38

especially if you want to convince top management to come on board with the project.

03:42

This could be something used in a business case.

03:46

Analyze and document the internal and external factors that influence your organization.

03:52

We'll go through a couple of examples of thes on the next slides.

04:04

So what internal factors does one need to consider

04:09

here? A couple of examples.

04:12

Existing organizational policies, procedures and standards,

04:16

locations of your offices,

04:19

what your objectives are and the supporting strategies for that.

04:24

The current capacities and capabilities of resource is

04:29

specifically in terms of information, security and existing knowledge around the eye. So 27,000 and one standard

04:36

considerations around your physical infrastructure and environment,

04:42

previous risk assessments and or ordered results.

04:46

Any internal projects which may initiate change.

04:51

So what factors do you actually consider in terms of all of these items?

04:57

Anything that could provide risk.

05:00

Give rise to risk,

05:01

give rise to opportunities

05:05

or specific policies, procedures and resource is which may constrain or provide boundaries that you have to work within.

05:14

For example,

05:15

if you are a subsidiary company and you have a group company overseeing your company

05:21

group would normally dictate certain policies such as

05:26

I T policies.

05:30

It can be difficult to work within these policies when you don't have direct control over them specifically with regards to changing or adapting controls.

05:39

There may be ways and means to work around this within your organization, but it's important. Thio.

05:45

Take note off these areas so that you can put the appropriate measures in place to make sure any existing risks are appropriately mitigated.

06:00

What is this? Some of the external factors to consider

06:04

Have a look at your local and international customer base?

06:09

What specifically, what do they require from you

06:12

as a company that they transact with?

06:15

What is the industry that you are operating in?

06:17

One of the pressures?

06:19

What are your competitors doing?

06:21

What is the political, legal and regulatory environment,

06:27

and does this have any direct pertinence to your organization,

06:30

especially in regards to being compliant to ISO 27,001.

06:35

Also, consider any key suppliers or third parties of your organization,

06:41

especially if you have sold dependencies,

06:45

physical or geographical challenges faced by the organization.

07:00

What is the specific documentation

07:02

to have for close 4.1

07:09

having an overview of the organization and business activities?

07:13

This can exist in the form of a write up or a paragraph.

07:16

Often this exists already on your company's website. In the about section

07:21

using this could be a great way

07:25

to take this one off your list. It frames the rest of the ice mess manual, and anyone that picks up the manual and needs to get context about your organization will have all of the information that they need

07:36

on organizational chart is a great component to include

07:41

as well

07:42

as this shows, you break down our functions within your business. Who the responsible people are,

07:47

and it can also help you to frame your ice miss scope, which we'll discuss in the listen to come.

07:57

It is also important to have a procedure to hold a meeting to discuss internal and external factors.

08:03

This can be a small procedure line,

08:05

stating how often and who need to be part of a meeting or a workshop to discuss what is the internal and external factors affecting the organization.

08:16

It is not a once off activity and should be repeated on a periodic basis

08:20

to ensure that any new or changes

08:22

to the internal and external environment

08:26

are identified and factored into ice mess.

08:31

Meeting minutes for the discussion off this

08:33

as well as in attendance, register

08:35

or agendas, any documentation that can support and show that these discussions of

08:41

taken place is also great to keep, especially for a certification audit.

08:54

To summarize

08:56

in this lesson 2.1,

08:58

we covered how the context of the organization will shape everything else within your ice mess.

09:03

Recovered the internal and external factors that must be considered

09:07

on that these will come into play throughout your eyes. Miss Life cycle.

09:13

We also looked at the activities to be performed as part of this clause