ISO 27001:2022 Requirements: Clause 4.1 Understanding the Organisation and Its Context

“The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.”

As an organisation, once you have identified the intended outcome(s) of your ISMS (information security management system), you need to understand all internal and external issues in the context of ISO 27001 that may be relevant to your business goals and the achievement of the information security management system objectives.

Here, we’ll expand upon what constitutes internal and external issues in the context of an organisation, as well as some internal and external issues examples.

ISO 27001 Internal Issues

Internal issues include organisational structure, products and services, policies and guidelines, and roles and responsibilities of inter alia staff, management and stakeholders.

Organisational Structure

When it comes to identifying ISMS issues around organisational structure, organisations should consider things like company hierarchy, roles and responsibilities, departmental structure and who has access to information and knowledge of policies. As the size of an organisation increases, the complications and potential internal issues related to data security are likely to increase exponentially.

Products and Services

Understanding inherent issues and risks regarding an organisation’s products and services is critical to building the foundations of a strong ISMS. If a company provides products, then physical security is likely to be a consideration, whereas if an organisation has a service that contains considerable amounts of sensitive customer information stored, then cyber security and data leaks should be highlighted.

Policies and Guidelines

Policies and guidelines are another area for potential internal issues. Organisations should consider every policy they can within the business and consider any inherent risks. For example, policies and guidelines around how data is stored and sent should be considered.

ISO 27001 External Issues

External issues can seem daunting and more wide-ranging than internal ones, so organisations should consider implementing a PESTLE (political, economic, sociological, technological, legal and environmental) or ICEDRIPS (innovation, competitors, economic, demographics, regulatory, infrastructure, partners and social trends) analysis.

Here, we have provided some examples within the PESTLE framework.

Political

Organisations should consider any political factors that could influence their organisation and its data security. Brexit, for example, significantly altered both the supply chain and regulations for many businesses.

Economic

External market concerns that affect the profitability and running of the organisation should be considered. If economic threats reduce income and profit, how would that affect the organisation’s workforce, processes and ability to manage data?

Sociological

Organisations should bear social trends in mind, such as the needs of customers and changing demographics in their customer base, and how this affects their approach to data.

Technological

Technological developments are among the most prevalent in organisations’ external issues when considering an ISMS. Recent, rapid developments in cloud storage, AI, big data and machine learning are all potential issues that organisations should consider.

Legal

Issues like data protection and GDPR laws are crucial for businesses to consider to achieve ISMS compliance. Organisations should consider the legal ramifications and guidelines of all geographical areas in which they trade.

Environmental

With a greater spotlight on organisations to meet increasingly scrutinised environmental targets, businesses should consider what impact this might have on their ability to implement an ISMS.

Overall, understanding the organisation's context and related internal and external issues will give you a clearer view of the organisation, allowing you to properly define the scope of the ISMS and effectively implement it.

Considering who the key stakeholders are in your organisation and arranging a meeting or putting in place a longer process with them to correctly identify these issues is critical to success.

‍