Understanding the organization and its context
The required activity
A knowledge security management system (ISMS) is a system for assessing external and internal issues pertinent to the organization’s mission and affecting its ability to attain its intended goal(s).
As part of the ISMS, the organization continuously analyzes itself and the world around it. This analysis examines external and internal factors that influence information security as well as how security is commonly managed, details that are relevant to an organization.
These issues will be analyzed for three reasons:
– Identifying the scope of the ISMS by understanding the context;
– Analyzing the context for determining risks and opportunities;
– Ensuring the ISMS can adapt to change both internally and externally.
A company’s external issues are those beyond its control. It is often cited because of the environment at the organization.
The following aspects can be considered when analyzing this environment:
– Cultural and social;
– Legal, normative, political, and regulatory;
– Macroeconomic and financial issues;
– Naturally occurring;
– Highly competitive.
Various aspects of the organization’s environment constantly pose issues that affect the security of data and the management of security. The external issues that matter depend on the specific priorities and situation of the organization.
An organization can, for example, face external issues such as:
– The legal implications of outsourcing an IT service (legal aspects);
– The nature of the character with regards to fires, floods, earthquakes and other natural disasters (a natural factor);
– The technological progress of hacking tools and cryptography (technical aspect); and
– An understanding of the organization’s overall market demand (cultural, financial, or social dimensions).
– Organizations are responsible for dealing with internal issues.
An analysis of interior issues can take into account the following:
– The culture of the organization;
– The policies, objectives, and strategies for achieving them;
– Organizational structure, responsibilities, and governance;
– Organizational standards, guidelines, and models;
– The relationship between the organization and the external entity that directly impacts the business process;
– Procedures and processes;
– Capacity related to resources and knowledge (such as capital, time, skills, processes, systems, and technologies);
– The environment and the physical infrastructure;
– Systems of information, information flows, and decision-making processes (formal or informal);
– Former audit and risk assessment results.
This will be based upon an understanding of the organization’s purpose (like its mission statement or business plan), as well as based upon the organization’s intended outcome(s).
Identifying relevant external issues should be done through a review of external matters. Reviewing relevant internal issues should be done through a review of internal matters.
A good way to spot pertinent issues is to ask the following question – What are the implications of a particular category of issues for information security?
Here are three examples of internal issues:
– Example 1: Organizational structure and governance
A company’s governance and organizational structures should be considered when establishing an ISMS. It may also coordinate with other management systems to support similar structures, and add functions to the ISMS, such as management review and auditing.
– Example 2: Objectives, policy, and method
When an organization analyzes their policies, objectives, and methods, it can determine what they hope to achieve and how knowledge security objectives are often aligned with business objectives for successful outcomes.
– Example 3: Knowledge flows and information systems
The organization should identify the knowledge flows between its various information systems at a sufficient level of detail when determining internal issues.
The issues both external and internal will change over time, so the scope, constraints, and requirements of the ISMS should be reviewed regularly to identify the problems and evaluate their impact. Information about this activity and its results shall be documented only to the extent necessary for the effective functioning of the management system and within the form required by the organization.
1. What is the ISO 27001 Implementation Guidelines clause 4.1 all about?
2. What are the five goals of IT security governance?
3. What are the principles of security governance?
4. Why does governance matter in an organization? 4. What is it? How does it work?
5. What is the importance of information security governance?