ISO 27001:2013 Clause 4.1 and 4.2 Clarification and Guidance

P

pravi_2

Hi All,

Could someone provide guidance on the following:

4.1 - Understanding the organization and its context.

4.2 - Understanding the needs and expectations of interested parties.

I need help in determining and documenting the above mentioned clauses.

I guess, going forward, because of guide 83(Annex SL), remaining standards such as 9001,14001,31000 and 22301 etc are also having similar clauses.

Tried checking many sites, googled, checked with friends and even auditors. Seems, no one is having any clue or clarity on how to deal with the above clauses.

Hence, I request the community to help me on the above.

Thanks in advance
PR
 

somashekar

Leader
Admin
Re: ISO 27001:2013

Hi Pravi 2 ... Welcome to the COVE ~~~
The understanding and responding to 4.1 and 4.2 must be demonstrated in the planning and executing of the ISMS, by suitable determination to the best of your abilities.
Are you up to documenting things clause by clause .. ??
If so, this is neither required nor recommended.
 

Richard Regalado

Trusted Information Resource
Hello Pravi!

I use mind maps to determine 4.1 and 4.2. I find it useful to connect different aspects of the business e.g. Customers and their requirements, legal requirements, requirements not stated but necessary.

From the mind map I can now tabulate external and internal issues, their interconnections with the business, requirements of each interested party, etc.

Try creating a mind map so you'll get a big picture of your ISMS's environment and rationale.

This is what I do and it works, others may have a better approach. Keep an open perspective on what works best for you.

Cheers!
 
P

pravi_2

Thanks Somashekar and Richard.

Let me put the same question in a different way.

During the audit, what kind of documentation evidence we need to demonstrate for the above mentioned clauses.

My doubt is, through Mindmap, SWOT or PEST analysis, I guess, we can define the contest. But:
1. How to demonstrate the same (Because all the methods mentioned above might be very informal representation)
2. How to derive or link the ISMS objectives to the context and thus to Risk Assessment(especially asset based)

Hope, this discussion will help many confused souls like me :)

Best Regards
PR
 

Richard Regalado

Trusted Information Resource
Easy. Through the mind maps and SWOT analysis you are able to derive the scope and boundaries of the ISMS. Show the auditors your working documents. They're perfectly acceptable. The scope statement you can put in your ISMS manual, if you have one or on the IS Policy Document.

From the tables in 4.2 you can come up with a more formalized list of contractual, legal and business requirements. Should you need a template, I can show you a sample.
 
P

pravi_2

Richard

Sorry, I am still not clear about "2. How to derive or link the ISMS objectives to the context and thus to Risk Assessment(especially asset based)"

:)

Thanks
PR
 

Richard Regalado

Trusted Information Resource
With the context, you are able to derive your scope. The risk assessment you will perform will be for the assets within the identified scope.

More often than not, you will have risks that will not satisfy your risk acceptance criteria. You then have to perform risk treatment. Somewhere within your risk treatment process you will select controls such as conduct user awareness training courses or establish a CCTV system. Objectives can then be established to these controls.

Examples:

% attendance to ISMS courses vs total manpower of the company

Completion of the CCTV installation. On time? Within budget?


Do you want a sample of a risk treatment plan with objectives?

Richard
 
P

pravi_2

From the tables in 4.2 you can come up with a more formalized list of contractual, legal and business requirements. Should you need a template, I can show you a sample.

Richard,

Could you please share the sample template.

Thanks
PR
 

Richard Regalado

Trusted Information Resource
Pravi, apologies for the delay in sending your request. Attached is the template for Register of Legal and Contractual Requirements. I attached the editable version so you can jump right into the action.

If you can improve this, please post it back. Hope you find this useful.
 

Attachments

  • ISMS-Registry of Legal and Other Requirements.docx
    95.1 KB · Views: 849
Top Bottom