Understanding the Organization and its Context

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
moving on to module to
00:04
during this module will be covering clothes for the context of the organization
00:19
lesson 2.1. Understanding the organization and its context
00:28
in this lesson, we will cover the first clause off the ice. So 27,000 and one standard,
00:33
which is close for organizational context.
00:37
We will cover why this clause is so important and what needs to be produced as an output from the activities. In this clause,
00:44
we will also take a look at some examples off internal and external factors to consider in relation to your organization and what they required or mandatory documentation from this clause is
01:00
so why is this clause important?
01:04
Thirsty?
01:06
Each organization operates within its own unique context.
01:10
It is important for him to understand this context
01:14
so that the ice um s requirements can be tailored to ensure that they support your business objectives
01:19
and the needs and expectations that your business has
01:25
The context of your organization will shape your isom is implementation in terms of the risks controls. Resource is you have available what your scope is and so forth.
01:40
Understanding the internal and external factors affecting the organization
01:44
will also help in shaping a frame of reference.
01:57
So what is it that you need to do for clothes? For
02:00
the main part of this close is understanding your business, what it does, where it's going in terms of strategic objectives
02:08
and then importantly, what is the internal and external factors that need to be considered when you look at the organization?
02:15
The organ context of the organization is something that the auditor, when you are at the stage of having your items audited, will keep coming back. Thio.
02:23
It is also something that you should be keeping in mind throughout your ice Miss Development, implementation and maintenance.
02:31
We will cover this in more detail later in the course, and we address mandatory documents for a nice miss.
02:38
But the context considered for the organization would be included in a document known as the Isthmus Manual or Policy.
02:46
I prefer to use a term manual as opposed to policy, as this avoids confusion with the information security policy off the organization which may already exist.
03:00
So some of the factors that you could document for flaws for
03:05
specifically 4.1
03:07
is understanding the organization its functions holistically.
03:13
This includes understanding the physical operating environment,
03:15
the industry, the organizational structure on what the core activities off the organizational.
03:23
It is also helpful to document the reasons why your organization is undertaking the exercise off becoming ISO 27,001 compliant or certified.
03:35
It might be handy to highlight the expected benefits,
03:38
especially if you want to convince top management to come on board with the project.
03:42
This could be something used in a business case.
03:46
Analyze and document the internal and external factors that influence your organization.
03:52
We'll go through a couple of examples of thes on the next slides.
04:04
So what internal factors does one need to consider
04:09
here? A couple of examples.
04:12
Existing organizational policies, procedures and standards,
04:16
locations of your offices,
04:19
what your objectives are and the supporting strategies for that.
04:24
The current capacities and capabilities of resource is
04:29
specifically in terms of information, security and existing knowledge around the eye. So 27,000 and one standard
04:36
considerations around your physical infrastructure and environment,
04:42
previous risk assessments and or ordered results.
04:46
Any internal projects which may initiate change.
04:51
So what factors do you actually consider in terms of all of these items?
04:57
Anything that could provide risk.
05:00
Give rise to risk,
05:01
give rise to opportunities
05:05
or specific policies, procedures and resource is which may constrain or provide boundaries that you have to work within.
05:14
For example,
05:15
if you are a subsidiary company and you have a group company overseeing your company
05:21
group would normally dictate certain policies such as
05:26
I T policies.
05:30
It can be difficult to work within these policies when you don't have direct control over them specifically with regards to changing or adapting controls.
05:39
There may be ways and means to work around this within your organization, but it's important. Thio.
05:45
Take note off these areas so that you can put the appropriate measures in place to make sure any existing risks are appropriately mitigated.
06:00
What is this? Some of the external factors to consider
06:04
Have a look at your local and international customer base?
06:09
What specifically, what do they require from you
06:12
as a company that they transact with?
06:15
What is the industry that you are operating in?
06:17
One of the pressures?
06:19
What are your competitors doing?
06:21
What is the political, legal and regulatory environment,
06:27
and does this have any direct pertinence to your organization,
06:30
especially in regards to being compliant to ISO 27,001.
06:35
Also, consider any key suppliers or third parties of your organization,
06:41
especially if you have sold dependencies,
06:45
physical or geographical challenges faced by the organization.
07:00
What is the specific documentation
07:02
to have for close 4.1
07:09
having an overview of the organization and business activities?
07:13
This can exist in the form of a write up or a paragraph.
07:16
Often this exists already on your company's website. In the about section
07:21
using this could be a great way
07:25
to take this one off your list. It frames the rest of the ice mess manual, and anyone that picks up the manual and needs to get context about your organization will have all of the information that they need
07:36
on organizational chart is a great component to include
07:41
as well
07:42
as this shows, you break down our functions within your business. Who the responsible people are,
07:47
and it can also help you to frame your ice miss scope, which we'll discuss in the listen to come.
07:57
It is also important to have a procedure to hold a meeting to discuss internal and external factors.
08:03
This can be a small procedure line,
08:05
stating how often and who need to be part of a meeting or a workshop to discuss what is the internal and external factors affecting the organization.
08:16
It is not a once off activity and should be repeated on a periodic basis
08:20
to ensure that any new or changes
08:22
to the internal and external environment
08:26
are identified and factored into ice mess.
08:31
Meeting minutes for the discussion off this
08:33
as well as in attendance, register
08:35
or agendas, any documentation that can support and show that these discussions of
08:41
taken place is also great to keep, especially for a certification audit.
08:54
To summarize
08:56
in this lesson 2.1,
08:58
we covered how the context of the organization will shape everything else within your ice mess.
09:03
Recovered the internal and external factors that must be considered
09:07
on that these will come into play throughout your eyes. Miss Life cycle.
09:13
We also looked at the activities to be performed as part of this clause
09:16
as well as the documentation required by the standard for this clause
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By