Understanding the Organization and its Context
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
7 hours 52 minutes
moving on to module to
during this module will be covering clothes for the context of the organization
lesson 2.1. Understanding the organization and its context
in this lesson, we will cover the first clause off the ice. So 27,000 and one standard,
which is close for organizational context.
We will cover why this clause is so important and what needs to be produced as an output from the activities. In this clause,
we will also take a look at some examples off internal and external factors to consider in relation to your organization and what they required or mandatory documentation from this clause is
so why is this clause important?
Each organization operates within its own unique context.
It is important for him to understand this context
so that the ice um s requirements can be tailored to ensure that they support your business objectives
and the needs and expectations that your business has
The context of your organization will shape your isom is implementation in terms of the risks controls. Resource is you have available what your scope is and so forth.
Understanding the internal and external factors affecting the organization
will also help in shaping a frame of reference.
So what is it that you need to do for clothes? For
the main part of this close is understanding your business, what it does, where it's going in terms of strategic objectives
and then importantly, what is the internal and external factors that need to be considered when you look at the organization?
The organ context of the organization is something that the auditor, when you are at the stage of having your items audited, will keep coming back. Thio.
It is also something that you should be keeping in mind throughout your ice Miss Development, implementation and maintenance.
We will cover this in more detail later in the course, and we address mandatory documents for a nice miss.
But the context considered for the organization would be included in a document known as the Isthmus Manual or Policy.
I prefer to use a term manual as opposed to policy, as this avoids confusion with the information security policy off the organization which may already exist.
So some of the factors that you could document for flaws for
is understanding the organization its functions holistically.
This includes understanding the physical operating environment,
the industry, the organizational structure on what the core activities off the organizational.
It is also helpful to document the reasons why your organization is undertaking the exercise off becoming ISO 27,001 compliant or certified.
It might be handy to highlight the expected benefits,
especially if you want to convince top management to come on board with the project.
This could be something used in a business case.
Analyze and document the internal and external factors that influence your organization.
We'll go through a couple of examples of thes on the next slides.
So what internal factors does one need to consider
here? A couple of examples.
Existing organizational policies, procedures and standards,
locations of your offices,
what your objectives are and the supporting strategies for that.
The current capacities and capabilities of resource is
specifically in terms of information, security and existing knowledge around the eye. So 27,000 and one standard
considerations around your physical infrastructure and environment,
previous risk assessments and or ordered results.
Any internal projects which may initiate change.
So what factors do you actually consider in terms of all of these items?
Anything that could provide risk.
Give rise to risk,
give rise to opportunities
or specific policies, procedures and resource is which may constrain or provide boundaries that you have to work within.
if you are a subsidiary company and you have a group company overseeing your company
group would normally dictate certain policies such as
I T policies.
It can be difficult to work within these policies when you don't have direct control over them specifically with regards to changing or adapting controls.
There may be ways and means to work around this within your organization, but it's important. Thio.
Take note off these areas so that you can put the appropriate measures in place to make sure any existing risks are appropriately mitigated.
What is this? Some of the external factors to consider
Have a look at your local and international customer base?
What specifically, what do they require from you
as a company that they transact with?
What is the industry that you are operating in?
One of the pressures?
What are your competitors doing?
What is the political, legal and regulatory environment,
and does this have any direct pertinence to your organization,
especially in regards to being compliant to ISO 27,001.
Also, consider any key suppliers or third parties of your organization,
especially if you have sold dependencies,
physical or geographical challenges faced by the organization.
What is the specific documentation
to have for close 4.1
having an overview of the organization and business activities?
This can exist in the form of a write up or a paragraph.
Often this exists already on your company's website. In the about section
using this could be a great way
to take this one off your list. It frames the rest of the ice mess manual, and anyone that picks up the manual and needs to get context about your organization will have all of the information that they need
on organizational chart is a great component to include
as this shows, you break down our functions within your business. Who the responsible people are,
and it can also help you to frame your ice miss scope, which we'll discuss in the listen to come.
It is also important to have a procedure to hold a meeting to discuss internal and external factors.
This can be a small procedure line,
stating how often and who need to be part of a meeting or a workshop to discuss what is the internal and external factors affecting the organization.
It is not a once off activity and should be repeated on a periodic basis
to ensure that any new or changes
to the internal and external environment
are identified and factored into ice mess.
Meeting minutes for the discussion off this
as well as in attendance, register
or agendas, any documentation that can support and show that these discussions of
taken place is also great to keep, especially for a certification audit.
in this lesson 2.1,
we covered how the context of the organization will shape everything else within your ice mess.
Recovered the internal and external factors that must be considered
on that these will come into play throughout your eyes. Miss Life cycle.
We also looked at the activities to be performed as part of this clause
as well as the documentation required by the standard for this clause