Clause 4 and 5: Understanding ISO 27001 Part 3
Clause 4(Context of the organization)
The context of the organization is divided into four sections namely
4.1 Understanding the organization and its context
Clause 4.1 speaks to internal and external issues relating to information security and affecting the organization. The internal and external issues should cover the entire organization even if the scope of the ISMS is a subset of the organization. The internal and external issues are meant to help you identify a suitable scope. Organizations should consider the identified internal and external issues when they design and implement the ISMS. However, this does not mean that your ISMS must ensure that it is addressing all these issues. Possible ways of identifying such issues are to look at things like company reports, corporate risk assessments, minutes of board meetings, etc.
Clauses 4.1 focuses on explaining what the organization does and the purpose of the ISMS. Who you are? What do you? Note: All of this is meant to be documented in the organization’s ISMS CONTEXT, REQUIREMENTS, AND SCOPE document.
4.2 Understanding the needs and expectations of interested parties.
Clause 4.2 covers how to meet the needs and expectations of interested parties. To document this, you need to create a table with two columns. The first column is the list of interested parties that may have some relevance to information security. The 2nd column is the requirements of those interested parties relevant to information security. Some of these interested parties may be ones where they place a requirement on you from an information security perspective and some may be interested parties where you place a requirement on them from an information security perspective. The documentation should look like this
4.3 Determining the scope of the information security management system
In defining the scope of ISO 27001, the first thing to consider is what your organization processes, manages, and stores. While this can be straightforward for small organizations, larger organizations will have trouble defining their scope. To decide the scope of the ISMS, you must know what information you have. After determining the information to be managed by the ISMS, your risk assessment is used to decide what the scope will look like. For example, Where is the information? Datacenter or with suppliers? How are the controls managed and by whom?
The factors in deciding what information to include in a scope include;
1. By service: “ All information stored and processed for health services”
2. By location: “ All information stored and processed in the Lagos office”
3. By Business department:” All information stored, processed, and managed by the information technology department “
4. The whole company or some part of the company:” All information stored, processed, and managed by the company “
You must be careful not to exclude any information. The official way is to follow the methodology of ISO 27001. This means understanding the external and internal issues and your interested parties. You understand your organization and your context. Then you can define your scope based on these factors. For instance, if you are defining the scope for a top bank in Nigeria, you cannot focus the scope on the Abuja office with 1200 employees and leave out the head office in Lagos with 5,000 employees. The scope must be available as documented information.
Example of a scope “The COMPANY Scope for ISO27001:2022 encompasses the people, premises, technology services and business processes which enables our organization to deliver (List of service) to clients based in the (USA and Globally)”
4.4 Information Security Management System
Clause 4.4 states that “The organization shall establish, implement, maintain and continually improve an information security management system including the processes needed and their interactions, by its the requirements of this document “
It can be confusing to understand the purpose of this requirement because to meet it, you have the meet the requirements of all other clauses. The clause may be of some value to auditors if there are minor nonconformities in other clauses. It is very rare to see a nonconformity raised against clause 4.4.
Clause 5: Leadership
Clause 5 focuses majorly on the commitment of top management concerning information security management systems. Unless there is management commitment, the ISMS will not be successful. This clause is divided into three
5.1 Leadership and Commitment
Clause 5.1 lists 8 things that “top management” must do and in summary, it says that “top management "must support the implementation and management of the ISMS. While some auditors will want to go through each of the 8 requirements and ask for some sort of evidence, you can meet the requirements of this clause by;
- Allocating resources to the management of the ISMS
- Top management should be available to attend the opening meeting of the ISO 27001 audit.
- Approval of important policy documents by the “Top management “e.g. the information security policy and the acceptable use policy. They can comment on the policy after signing it.
- Top Management should attend management review
- Top Management should attend the information security steering committee meeting
- Top management should understand the risk to information assets as given in the risk register.
- Top Management should drive annual awareness and mandate that all staff are present for the awareness.
- Information security should be a regular or occasional topic in management meetings.
5.2 Policy
Clause 5.2 speaks to top management about establishing an information security policy. An information security policy that meets the requirements of ISO 27001 must contain the following;
1. Purpose and Scope
The goal of the information security policy is the set high-level policies and principles for information security in the organization. The policy should apply to all staff( including contract staff) and it should be supported by several other policies and procedure documents.
2. Objectives
The objective should be supported by this policy, supporting policies, procedures, and activities. A typical objective can be “ To help prevent or minimize the impact of information security incidents or breaches to protect our business and safeguard our people”
3. Roles and responsibilities
The ISMS manager has the overall responsibility for ensuring that the ISMS meets the requirements of ISO 27001. They also must report on the performance to the top management.
4. Information Security Policies
The organization should ensure that they constantly improve their approach to information security by ensuring that they understand the applicable information security requirements and by their risk assessment, they implement what is necessary to meet those requirements. A statement relating to this should be documented in the information security policy.
5. Exceptions
Exceptions to the policy must be documented after being agreed upon by top management.
6. Non-Compliance
There should be a well-documented penalty for failing to comply with the policy.
5.3 Organizational roles and responsibilities
People in the organization need to understand the part they play as regards information security in the organization. All employees should be able to know their role in ensuring that the information assets are safe and secure. What specific roles should you define?
These are formal roles that must be assigned. Most times the first two roles are assigned to the same individual. The internal auditor role can be assigned to an external person. There are additional roles, especially for top management staff, and for every role, you have to be clear about their responsibilities and authorities concerning information security. This is documented as a paragraph or more either as roles or responsibilities associated with existing jobs in the organization. Below are a few examples of some possible roles that already exist in the organization (e.g CEO) or are specific to the ISMS (e.g ISMS Manager)
Board of Directors
MD/CEO
Information Security Steering Committee
CHIEF INFORMATION SECURITY OFFICER (CISO)
CHIEF RISK OFFICER (CRO)
Head, INFORMATION TECHNOLOGY
This is just a summary of a few of the roles. There are still many roles like the ISO Champions, ISMS manager, and internal auditor.
How do you document this?
1. In the information security policy
2. A separate document called “ISMS Organizational Roles, responsibilities, and Authorities.”
3. Job descriptions
4. In personal objectives, key stakeholders must know their roles and responsibilities regarding information security.
Thanks for reading thus far. Kindly share and leave a comment.
Cybersecurity Professional | Creator of Rafiki The Wise Blue Team Security Nuggets
9moGood read, Well done bro 👍🏾
M.Sc. Applied Cyber Security | Security+ | Cybersecurity GRC Analyst | ISO 27001 Lead Implementer | IT Auditor
9moThis was a good read 👏👏👏
I empower cybersecurity and compliance excellence for businesses | Cybersecurity and GRC Consultant | Regulatory Compliance Specialist | NIST | COBIT | ISO | writes about #regulatorycompliance
9moThank you for clear presentation
Legal Practitioner || I.T. & Cybersecurity Consultant|| IT GRC || Data Privacy and Data Protection Law ||
9moIt was an enlightening read. Kudos 👍
PhD|| UN Women UK Participant for CSW68|| Multi-Award winning Cybersecurity Professional || Teacher|| Keynote Speaker|| Cybersecurity Career Coach and Mentor|| Cyblack||
9moWell done 👏👏👏