Understanding Organisation and Context
Clause 4.1 of the ISO 27001 requirements is about understanding your organisation and its context. It marks the entry point into the ISO 27001 standard and underpins the building and management of your Information Security Management System (ISMS). You need to outline how your organisation defines:
- What your ISMS does
- When it does it
- How it does it
Whether you're after independent ISO 27001 certification or just demonstrating compliance with the standard, taking a 'top down' approach to information security will help you build an effective, business led ISMS.
What are internal and external issues that might affect the intended outcome of the information security management system?
ISO doesn't actually offer much help in its explanation of what an internal or external issue might be. For an organisation that is new to information security management it could waste valuable time on just figuring that requirement out.
It is really down to the culture and nature of the organisation, the people involved, its starting point and the value at risk. As an example, a small well managed organisation with a clear purpose and few people involved might get to its conclusions on internal and external issues affecting the ISMS outcomes over a 10 min cup of tea.
However other organisations might take longer. We generally suggest this is a fast brainstorming type exercise that avoids over analysis initially - you will almost certainly identify more internal and external issues as you get into the other requirements and these can easily be added in as the implementation of your information security management system and journey towards better information assurance continues.
Examples of internal issues affecting the intended outcome of an information security management system
There are many issues that might be considered depending on the organisation, its sector, size, scope and nature of the products and services etc.
We suggest you are practical and ensure that it doesn't become a major strategy exercise or dissertation thesis when that is not required. It is less about where you 'bucket' the internal issue too, the idea of simple portfolio analysis like this is to help the brain trigger the internal issues.
So whether you put them under people, organisation or elsewhere is less important (some may also be external issues too) - it is the identification of the internal or external issues that is important so you can build an information security management system that works for you!
You'll also consider the nature of the organisation around people e.g. is the philosophy to do everything in house, outsource etc - these aspects all give rise to 'issues' that might affect the ISMS.
For example you may be able to control staff internally better than suppliers, but it might be there is an argument to having suppliers with their processes involved because they offer the services you want..remember that your business goals come first - this is right at the heart of the issues identification - run the business the way you want to and ensure that the ISMS protects your valuable information and that of your interested parties.
All the relevant issues should then be considered for more detailed risk analysis later on - not all issues are actually risks though, and some are more important than others so you might choose to prioritise around the bigger issues. So we would suggest you avoid the risk analysis or any deep consideration of what if at this stage and concentrate on identifying the issues.
Information as assets that are internal issues affecting ISMS outcomes
What information is created, handled, stored, managed and of real value for the organisation and its interested parties (in line with the stakeholder analysis you'll do for 4.2 next)? Personal data, sensitive customer ideas and IPR, financial information, brand, codebases etc?
This is right at the heart of the ISMS where the information assets are the foundation for everything else - identifying these assets early on also makes the information asset inventory management easy for A 5.9.
Then consider potential issues around the information itself - in particular confidentiality, integrity and availability, taking into account the other areas below as you go for triggering ideas of where the issues might be found.
People related internal issues that might affect the intended outcome of the ISMS
It's no surprise that human resource security is an important part of the ISMS, indeed Annex A 6 is devoted to it and all the subsequent policies, controls and management is likely to be with people in mind, both internal employees as well as external resources like suppliers.
Therefore consider any existing issues of:
- recruitment e.g. challenges in hiring competent people, high/low staff turnover
- induction - e.g. do they get training on information security right now, is it working
- in life management e.g. keeping them engaged and showing their compliance to the policies and controls, - do staff actually find information security sexy and exciting or is it a cultural challenge to get someone to lock their laptop when going to the toilet
- change of roles and exit e.g. is access to and removal of information assets and services carried out
Organisational internal issues affecting ISMS outcomes
What are the issues facing the organisation that might affect the outcome of the ISMS? As an example, fast growth brings issues of staff and structure that might affect understanding and knowledge of the policies, or that things change so quickly you can't easily bottom out detailed and consistent processes.
Are there organisation leadership and board or shareholder pressures that will cause issues (these can be positive as well as negative)? International operations will have different cultural norms for the people involved.
Another internal issue associated to people and the organisation might be about the fact you don't want many of them employed or struggle to find good ones so rely instead on outsourcing. That brings a need for suppliers (and staff in the suppliers) so that's an issue to tie in with the interested parties analysis you'll do in 4.2 next.
Products & Services internal issues that might impact the ISMS outcomes
What are the products and services delivered by the organisation and what sort of issues emerge around that which might cause information risk? For example, if the organisation is an innovator and IPR protection is important for product leadership, it's an issue that needs consideration in the ISMS.
If the organisation relies on large physical property e.g. as a manufacturer that will probably bring more physical security issues, whereas a small cloud software provider might be much more focused on issues like IPR protection from digital hackers and the issues surrounding dependency of their product success and assurance on hosting suppliers etc.
Systems and Processes as internal issues that affect the intended outcome of the ISMS
People often think about computers and digital technology when the 'system' word is used. However manual and paper-based systems are also key areas for issues to emerge so remember to consider those for issues too.
Each of the areas bucketed above will have systems and processes involved in it - that might be implicit (we have always done it that way and never documented it) or could be wrapped up in a mass of documentation that no one could ever follow. Think about the systems and processes internal issues around them - for example if you are hiring staff regularly but don't have a formal process and systems that demonstrate evaluation and screening from an information security perspective, you have an issue (not least because Annex A6 of ISO 27001).
An issue is that you might be hiring people that are going to become the enemy within.either through ignorance of information security or because they are a saboteur and you never considered that.Its the same with all the systems and processes across the organisation that are in scope for information assurance - what sort of issues emerge where confidentiality, integrity or availability of the information might be at threat?
How to identify the external issues affecting an information security management system using the PESTLE method
One of the old favourites for external analysis is PESTLE and it has merit for use in this exercise, again to be kept practical and focused for issues affecting the ISMS outcomes rather than as a deep strategic piece of work. This exercise generally needs much less explanation and you'll no doubt find it easy enough to go through and consider from an information security perspective.
Again avoid over analysis and trying to force fit things into buckets for the sake of it - something will trigger or it won't and you can always come back to it later on. The internal issues affecting the outcome of the ISMS will also trigger external issues - for example if the organisation decided that it won't do everything internally and needs suppliers, then external issues with those suppliers and their PESTLE related aspects come into the mix.
Political external issues affecting the outcomes from an ISMS
What political issues might affect the organisation and affect outcomes? Examples could include Brexit and specific policy changes in a sector that impact investment or growth that might lead to different ways of working, and different approaches to information management.
Politics (and powerful social media players abusing personal data) brought about GDPR which brought about regulatory changes, which increased the pressure on customers, who in turn are forcing suppliers to achieve independently certified ISO 27001 information security management systems to help them manage their overall supply chain risk.
That’s an example of an issue straddling many aspects of PESTLE and its an external issue facing almost all organisations.
Economic external issues affecting the outcomes from an ISMS
How does the economics of your market and the supply chain impact the organisation? Does that lead to more or less issues with suppliers, customers, what information security corners might get cut in a cost reduction arena and lead to increased risk or threat (and of course opportunity too)?
Examples might be cheaper labour, less training and less time for doing the work, or inability to afford decent technological systems that would help improve operations because funds need to be prioritised elsewhere (Tip - look at our business case planner whitepaper for guidance on the return on investment from information security.)
Sociological external issues affecting the outcomes from an ISMS
How is society or your audience demographic changing and affecting your business - for example always on connected citizens offer opportunity and threat, and a generation of staff that sometimes have more/less regard for data brings positives and negatives too.
Technological external issues affecting the outcomes from an ISMS
How does the increasing pace of technological change create issues for the ISMS outcomes? Daily changes in operating systems being patched versus (say) once a year in the past? That leads to a need for much more dynamic management that many organisations struggle to maintain which, if left unmanaged, increases the threat of a cyber breach and loss becomes more likely.
Where does artificial intelligence, machine learning, cloud, and every other technological buzzword create issues for your organisation externally?
Legislative external issues affecting the outcomes from an ISMS
One of the most common areas of failure in ISO 27001 is the inability to effectively highlight awareness of and then manage application legislation and regulation issues. This part of PESTLE is a great starting point for Annex A5.31 on compliance - if your auditor knows more than you about the legislation and regulation affecting your organisation (and therefore the ISMS) they will not be impressed.
It goes way beyond data protection, GDPR, computer monitoring, human rights and intellectual property law, so do give this area serious consideration for any information in your scope. You won't necessarily need a lawyer but showing you have considered the applicable legislation affecting the organisation will make risk treatment, policy & control creation more focused and relevant as well.
It might be that your risk appetite for something is quite high but if an applicable legislation or regulation sets the bar, then you'll need to develop policies and controls for complying with that rather than just what you might think is okay!
Environmental external issues affecting the outcomes from an ISMS
PESTLE typically treats environmental as the green issue however it can be your broader 'environment' as well. Simple considerations around environmental might mean that you aim to use less paper, travel less - great, what are the issues for the ISMS from that?
For example in developing the ISMS might it be an opportunity for changing practices around printing or developing mobile working policies etc - these are a couple of simple ideas that spring up when you think about environmental paper and travel issues.
Broader 'environment' issues might be the things going on in your competitors and broader forces (think Porters 5 forces as a simple example) - what external environment issues are happening there that might impact your ISMS outcomes?
You know your bargaining power of customers is increasing around information security. However if your competitors are all getting independently certified to ISO 27001 and you are only thinking about tick box/hand-waving compliance then that's an external issue you'd want to consider in more depth to be competitive let alone secure and trusted.