SBS - The best value in QMS software

ISO 27001:2013 Clause 4.1 and 4.2 Clarification and Guidance

P

pravi_2

#1
Hi All,

Could someone provide guidance on the following:

4.1 - Understanding the organization and its context.

4.2 - Understanding the needs and expectations of interested parties.

I need help in determining and documenting the above mentioned clauses.

I guess, going forward, because of guide 83(Annex SL), remaining standards such as 9001,14001,31000 and 22301 etc are also having similar clauses.

Tried checking many sites, googled, checked with friends and even auditors. Seems, no one is having any clue or clarity on how to deal with the above clauses.

Hence, I request the community to help me on the above.

Thanks in advance
PR
 
Elsmar Forum Sponsor

somashekar

Staff member
Super Moderator
#2
Re: ISO 27001:2013

Hi Pravi 2 ... Welcome to the COVE ~~~
The understanding and responding to 4.1 and 4.2 must be demonstrated in the planning and executing of the ISMS, by suitable determination to the best of your abilities.
Are you up to documenting things clause by clause .. ??
If so, this is neither required nor recommended.
 

Richard Regalado

Trusted Information Resource
#3
Hello Pravi!

I use mind maps to determine 4.1 and 4.2. I find it useful to connect different aspects of the business e.g. Customers and their requirements, legal requirements, requirements not stated but necessary.

From the mind map I can now tabulate external and internal issues, their interconnections with the business, requirements of each interested party, etc.

Try creating a mind map so you'll get a big picture of your ISMS's environment and rationale.

This is what I do and it works, others may have a better approach. Keep an open perspective on what works best for you.

Cheers!
 
P

pravi_2

#4
Thanks Somashekar and Richard.

Let me put the same question in a different way.

During the audit, what kind of documentation evidence we need to demonstrate for the above mentioned clauses.

My doubt is, through Mindmap, SWOT or PEST analysis, I guess, we can define the contest. But:
1. How to demonstrate the same (Because all the methods mentioned above might be very informal representation)
2. How to derive or link the ISMS objectives to the context and thus to Risk Assessment(especially asset based)

Hope, this discussion will help many confused souls like me :)

Best Regards
PR
 

Richard Regalado

Trusted Information Resource
#5
Easy. Through the mind maps and SWOT analysis you are able to derive the scope and boundaries of the ISMS. Show the auditors your working documents. They're perfectly acceptable. The scope statement you can put in your ISMS manual, if you have one or on the IS Policy Document.

From the tables in 4.2 you can come up with a more formalized list of contractual, legal and business requirements. Should you need a template, I can show you a sample.
 
P

pravi_2

#7
Richard

Sorry, I am still not clear about "2. How to derive or link the ISMS objectives to the context and thus to Risk Assessment(especially asset based)"

:)

Thanks
PR
 

Richard Regalado

Trusted Information Resource
#8
With the context, you are able to derive your scope. The risk assessment you will perform will be for the assets within the identified scope.

More often than not, you will have risks that will not satisfy your risk acceptance criteria. You then have to perform risk treatment. Somewhere within your risk treatment process you will select controls such as conduct user awareness training courses or establish a CCTV system. Objectives can then be established to these controls.

Examples:

% attendance to ISMS courses vs total manpower of the company

Completion of the CCTV installation. On time? Within budget?


Do you want a sample of a risk treatment plan with objectives?

Richard
 
P

pravi_2

#9
From the tables in 4.2 you can come up with a more formalized list of contractual, legal and business requirements. Should you need a template, I can show you a sample.
Richard,

Could you please share the sample template.

Thanks
PR
 
Thread starter Similar threads Forum Replies Date
S How to Learn all aspects of ISO 27001:2013 | The best way to grab the knowledge on 27001:2013 (Step by Step) IEC 27001 - Information Security Management Systems (ISMS) 7
A ISMS implementation - ISO 27001: 2013 Company Objectives IEC 27001 - Information Security Management Systems (ISMS) 1
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
P Recommended books on ISO 27001:2013 Implementation and Internal Auditing IEC 27001 - Information Security Management Systems (ISMS) 4
A Risk Register template as per ISO 27001:2013 wanted IEC 27001 - Information Security Management Systems (ISMS) 9
Richard Regalado Sharing a Statement of Applicability (SOA) for ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 2
S ISO 27001:2013 - How to document Context Of the Organization IEC 27001 - Information Security Management Systems (ISMS) 13
C ISO 27001:2013 ISMS Internal Audit Checklist/Questionnaire IEC 27001 - Information Security Management Systems (ISMS) 29
L Where to purchase ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 3
I ISO 27001:2013 Released - Transition Requirements? IEC 27001 - Information Security Management Systems (ISMS) 6
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 10
T ISO 27001 sample audit report IEC 27001 - Information Security Management Systems (ISMS) 0
M Choosing Auditors - ISO 9001 / ISO 27001 (UK) IEC 27001 - Information Security Management Systems (ISMS) 2
M ISO 27001 ISMS scope for companies with subsidiaries IEC 27001 - Information Security Management Systems (ISMS) 0
P Relevance of Offsite backups process compliance and ISO 27001 certification. IEC 27001 - Information Security Management Systems (ISMS) 3
P Why does the standard clause use the term Issues in place of Context - ISO 27001 4.1 IEC 27001 - Information Security Management Systems (ISMS) 3
P What is the exact difference between Risk and Opportunity in context of ISO 27001? IEC 27001 - Information Security Management Systems (ISMS) 7
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
Le Chiffre Is ISO/IEC 27001 appropriate for most small businesses? IEC 27001 - Information Security Management Systems (ISMS) 2
A Policies Mandatory or essential for ISO 27001 implementation IEC 27001 - Information Security Management Systems (ISMS) 6
A ISO/IEC 27001 - Issue during implementation of system IEC 27001 - Information Security Management Systems (ISMS) 3
B Integrating ISO 9001/27001 External Audits - Audit Time Reduced? Discounts? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
K Risk Assessment Registry - ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 9
Richard Regalado ISO/IEC 27001:2016 Overview and Vocabulary - FREE! IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado ISO/IEC 27001 Mandatory Documentation Checklist IEC 27001 - Information Security Management Systems (ISMS) 1
A ISO 27001 function wise or department wise audit questionnaire with control & clauses IEC 27001 - Information Security Management Systems (ISMS) 3
S Sample document for integrated ISO 20000 & ISO 27001 Other ISO and International Standards and European Regulations 3
W What are the benefits of ISO 27001 for my IT Organization IEC 27001 - Information Security Management Systems (ISMS) 3
S Clarification in organizing required documents for ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 6
G ISO 27001 for a Hosting Provider IEC 27001 - Information Security Management Systems (ISMS) 3
W Working in a company where we try to implement ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 9
L Implementing ISO 27001 A12.1.1 Security Requirements Analysis and Specification IEC 27001 - Information Security Management Systems (ISMS) 2
J ISO 27001 - Business Continuity Event Simulation Testing Business Continuity & Resiliency Planning (BCRP) 8
R Required artifacts (records) for ISO 27001 Auditing IEC 27001 - Information Security Management Systems (ISMS) 9
P What are the benefits of certified ISMS for ISO 27001 standard? IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado DRAFT ISO/IEC 27001:201? ISMS Requirements (Open for Comments!) IEC 27001 - Information Security Management Systems (ISMS) 0
R ISO 27001 A.8.2.2 Information Security Awareness, Education and Training IEC 27001 - Information Security Management Systems (ISMS) 10
A Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 8
K Information Classification Labeling - ISO/IEC 27001:2005 Labeling Requirements IEC 27001 - Information Security Management Systems (ISMS) 1
L Time Required to Implement ISO 27001 if ISO 9001 certified & SOX compliant? IEC 27001 - Information Security Management Systems (ISMS) 3
G Customer Property Cl. 7.5.4 - Where does ISO 9001 stop and ISO 27001 start? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 33
T ISO/IEC 27001 to ISO/IEC 12207 Mapping - Cross Reference Matrix IEC 27001 - Information Security Management Systems (ISMS) 2
T Person in charge's role or responsibility in ISMS? ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado A.15 Compliance - One of the grey areas of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 7
S Checklist for ISO 27001 ISMS Internal Audit IEC 27001 - Information Security Management Systems (ISMS) 2
G ISO 27001 Corrective Action Document Requirements IEC 27001 - Information Security Management Systems (ISMS) 10
S Security Gap Assessment Methodology based on ISO 27001 or COBIT IEC 27001 - Information Security Management Systems (ISMS) 1
Richard Regalado ISMS Asset Identification Process - Clause 4.2.1.d.1 of ISO/IEC 27001 IEC 27001 - Information Security Management Systems (ISMS) 4
Richard Regalado ISO 27001 A.10.4.1 - Detecting, Preventing and Recovering from Malicious Code Threats IEC 27001 - Information Security Management Systems (ISMS) 3
P ISO 27001 Information IEC 27001 - Information Security Management Systems (ISMS) 8

Similar threads

Top Bottom