ISO/ IEC 27001:2013

LEAD IMPLEMENTER TRAINING

TRAINER: TRIVESH SHARMA, OYUNTUGS B.

 What ISO27001 requires in clause 4.1?
 What actions to take to meet ISO27001 4.1 requirements?
 What procedures/instructions to follow?
 What records to keep?

LECTURE 1.
METHODS OF IMPLEMENTING - CLAUSE 4.1 OF
ISO27001:2013

Internal Context
The following are examples of the areas that can be
considered when assessing the internal issues that may have
a bearing on the I S M S risks:
• Maturity: are you an agile start-up with a blank canvas to
work on, or a 3 0 + year old institution with well-established
processes and security controls?
• Organization culture: is your organization relaxed
about how, when and where people work, or
extremely
regimented? Might the culture resist the implementation of
Information Security controls?
• Management: are there clear communication channels
and processes from the organization’s key decision makers
through to the rest of the organization?
• Resource size: are you working with an Information
Security Team, or is one person doing it all?
• Resource maturity: are the available resources (employees/
contractors) knowledgeable, fully trained, dependable and
consistent, or are personnel inexperienced and constantly
changing?
• Information asset formats: are your information assets
mainly stored in hard-copy (paper) format, or are they stored
electronically on a server on-site, or in remote cloud-based
systems?
• Information asset sensitivity/value: does your organization
have to manage highly valuable or particularly sensitive
information assets?
• Consistency: do you have uniform processes in place
across the organization, or a multitude of different operating
practices with little consistency?
• Systems: does your organization have many legacy systems
running on software versions that are no longer supported
by the manufacturer, or do you maintain the most up to date
and best available technology?
• System complexity: do you operate one main system
that does all the heavy lifting, or multiple departmental
systems with limited information transfer between them?
• Physical space: do you have a dedicated secure office
facility, or do you operate in a space shared with other
External Context organizations?
The following are examples of the areas that can be
considered when assessing the external issues that may have
a bearing on the I S M S risks:
• Competition: do you operate in a rapidly changing and
innovative market, requiring many system upgrades to
stay competitive, or in a mature, stable market with little
innovation year-to-year?
• Landlord: do you need approval to upgrade physical
security?
• Regulators / enforcement bodies: is there a requirement in
How you go about this and the specific areas of
your sector to make regular statutory changes, or is there
priority will be driven by the context your
little oversight from regulators in your market sector?
organization operates in, both:
• Economic/political: do currency fluctuations impact your
organization; will Brexit in the UK have an impact? • internal – the things over which the
• Environmental considerations: is your site on a flood plain organization has some control; and
with the server(s) located in a basement? Are there factors • external – the things over which the organization
making your site(s) a possible target for a break-in or a has no direct control.
terrorist attack (e.g. in a prominent city centre location; next
A careful analysis of the environment your
to a possible target)?
organization operates in is fundamental to
• Prevalence of information security attacks: does your
identifying the inherent risks posed to the security
organization operate in a sector which regularly attracts
of your Information Assets. The analysis is the
interest from hackers (criminals, hacktivists)?
foundation that will enable you to assess what
• Shareholders: are they very concerned about the
processes you need to consider adding or
vulnerability of the organization to data breaches? How
strengthening to build an effective ISMS.
concerned are they about the cost of the organization’s
efforts to improve its information security?
What ISO27001 requires in
clause 4.1?

• External issues
• Internal issues
 Body text
• This clause requires that the organisation determines external and internal issues that are relevant
to their purpose and strategic direction and that affect their ability to achieve the intended
outcomes of their ISMS.
• Notes:
– issues can include positive and negative factors or conditions for consideration
– understanding the external context can be facilitated by considering issues arising from legal,
technological, competitive, market, cultural, social and economic environments, whether
international, national, regional or local.
– understanding the internal context can be facilitated by considering issues related to acivities,
values, culture, knowledge and performance of the organisation
– both PESTLE and SWOT are useful tools in this context
What actions to take to meet
ISO27001 4.1 requirements?

• Define external and internal issues

• Prepare a procedure/instruction on how to conduct the external
and internal issue analysis, who to do, and when to do
• Classify the issues whether positive (business opportunity) or
negative (business risk)
Body text
What procedures/instructions
to follow?

• A procedure/instruction template: on how to conduct the external

and internal issue analysis, who to do, and when to do
Body text
What records to keep?

• Record of external issues: PESTLE and Porter’s 5 forces

• Record of internal issues: McKensey 7S