ISO 27001:2013 - How to document Context Of the Organization

S

saravanan_g

#1
Hi,

The scope of my Organizations ISMS is restricted to IT department. The IT Department provide IT services including application development, application support, desktop support to other departments.

How to determine external and internal issues of IT department

Who could be be interested parties and

What could be their requirements

Any practical example will be highly appreciated
 
Elsmar Forum Sponsor

Colin

Quite Involved in Discussions
#2
In my opinion the context of the organisation and the scope statements are closely linked so I think you have a good start point in what you have written in your post. It is about who you are as a company and what you do.

Other things to consider would be how critical your services are to your customers e.g. if you were providing IT support for a major airport it would be a different system than if you were providing support to a local recruitment agency. In other words, what are the risks associated with failure.

From that, you should be able to work out who your interested parties are. Hope it helps but do ask further if you need to.
 

Richard Regalado

Trusted Information Resource
#3
I approach external and internal issues by thinking what are the things that matter to or affects the organization in relation to information security. These things I normally classify into 3 main categories:

1. legal and regulatory requirements (external) - consisting of legislation that the organization needs to adhere to such as intellectual property rights law, data privacy legislation, etc.

2. contractual obligations - requirements coming from the customers normally stated into contract documents or SLAs.

3. your own business requirements - not coming from the government or regulators or your customers but your own requirement e.g. securing the front door of the office. Is this required by law or the customers? Maybe not. But you have it to secure your premises.

Start from the above. List down all the things that matter and affects your organization. These are your external and internal issues. After completing your risk assessment, you may revisit the list and add certain threats and vulnerabilities to your list.

Benchmark your list to the identified scope. It could be the case that the Operations department is more at risk than the IT department. You may want to upgrade your scope.

Let me know if you need more help.

Happy Christmas!

Richard
 
S

saravanan_g

#4
Thanks for your valuable suggestions.

My Management doesn't want to widen the scope to other departments. They dont want to change the scope

and ill give u a actual scenario below

My Company is a Insurance Company and has many insurance departments and group entities. It provides insurances (life, medical, vehicle etc) to customers



We (centralized IT and MIS Department) provide IT services to all departments and groups. The Services include

o Application & Database Support (insurance application development and support)
o Security Administration & Management (Desktop support, firewalls and servers)
o E-Commerce Service
o IT Helpdesk

Now the scope is

"Management of Information Security for the IT Infrastructure and Service relating to all support Services as well as protecting the confidentiality, integrity and availability of customer's data."
 
S

saravanan_g

#5
All the insurance data is stored in the datacentre and the opertaions department wont have usb access, internet access etc. They are saving their data in the file server
 

Richard Regalado

Trusted Information Resource
#6
Saravanan, it seems that you are going through the updated requirements (i.e., context of the organization) of ISO/IEC 27001:2013 just for the sake of doing it. The organization already made its decision regarding the scope regardless of the outcome of determining both external and internal issues.

Is it only the IT department who has access to sensitive (i.e., personal, financial) information? I doubt this. IT department may keep the information but they do not know the "value" of the information. The various operational units involved in day-to-day transactions and discussions with your customers are more exposed to sensitive information. Information such as cost of insurance premiums, beneficiaries, addresses, phone numbers, next of kin, etc. These information are beyond IT's understanding and grasp. You may be limiting the value of the ISMS to your organization.

Who vouched for the controls you have implemented? Did you include other business units? Are the operational units involved in deciding that you need to curtail USB access?

At any rate, good luck in your upgrade. I hope you use ISO/IEC 27001 the way it is intended to be used.

Not all information you need to protect are stored in the IT department.
 
R

Reg Morrison

#7
Is it only the IT department who has access to sensitive (i.e., personal, financial) information? I doubt this. IT department may keep the information but they do not know the "value" of the information.
Not all information you need to protect are stored in the IT department.
:applause:

Well said Richard. Unfortunately one of the British ISMS registrars has been agreeing to certify only IT departments of large organizations to ISO 27001. Why do they do it? To make the sale easier. But it is so short sighted; after all, the recent hack on Sony happened company-wide.

To certify only the IT department to ISO 27001 is akin to certify only the QA department of a company to ISO 9001. It does not make any sense whatsoever, but that registrar does not care, as long as the sales keep coming.
 
#8
Saravanan, it seems that you are going through the updated requirements (i.e., context of the organization) of ISO/IEC 27001:2013 just for the sake of doing it. The organization already made its decision regarding the scope regardless of the outcome of determining both external and internal issues.

Is it only the IT department who has access to sensitive (i.e., personal, financial) information? I doubt this. IT department may keep the information but they do not know the "value" of the information. The various operational units involved in day-to-day transactions and discussions with your customers are more exposed to sensitive information. Information such as cost of insurance premiums, beneficiaries, addresses, phone numbers, next of kin, etc. These information are beyond IT's understanding and grasp. You may be limiting the value of the ISMS to your organization.

Who vouched for the controls you have implemented? Did you include other business units? Are the operational units involved in deciding that you need to curtail USB access?

At any rate, good luck in your upgrade. I hope you use ISO/IEC 27001 the way it is intended to be used.

Not all information you need to protect are stored in the IT department.
Isn't it also true, Richard, to say that the ISMS is "scalable" and, once the basics are put in place to control the most significant proportion of information which needs securing, the ISMS - and hence the certification - can also be increased in scope, as the risk assessment determines? From my experience, although information security certainly ISN'T only the IT function, the risk assessment is going to drive what controls are applied and where - correct? From what I've understood to be true, it's NOT comparable to the QMS which really has to apply to the broadest sense of an organization, since it's what they do for a customer...
 

Richard Regalado

Trusted Information Resource
#9
Andy N, ISMS, EMS, HSMS, FSMS are all scalable. The ISO standards have given much leeway to the organizations to decide which risks are "fair game". The onus is now on the top management. Do they want a certificate on the wall or an honest to goodness management system encompassing the things that matter.

With regards to the current topic, the topic starter intimated that top management has no intention on rethinking the scope regardless of the output of the determination of internal and external issues. For me that's somewhat a myopic point of view if risks to the CIA of information assets needs to be managed in a structured manner by looking at the exposures from a 360-degree perspective.
 

Richard Regalado

Trusted Information Resource
#10
:applause:

Well said Richard. Unfortunately one of the British ISMS registrars has been agreeing to certify only IT departments of large organizations to ISO 27001. Why do they do it? To make the sale easier. But it is so short sighted; after all, the recent hack on Sony happened company-wide.

To certify only the IT department to ISO 27001 is akin to certify only the QA department of a company to ISO 9001. It does not make any sense whatsoever, but that registrar does not care, as long as the sales keep coming.
Thanks for dropping by Reg.

Just want to confirm that in my neck of the woods, the Germans (all 3 of them), the Swiss, the Norwegians are doing it as well. Truth be told, it is a nice and easy way to start implementing the ISMS, both in efforts and $$$, but should not be an end. Once must not get to comfy with such a limited scope.
 
Thread starter Similar threads Forum Replies Date
S How to Learn all aspects of ISO 27001:2013 | The best way to grab the knowledge on 27001:2013 (Step by Step) IEC 27001 - Information Security Management Systems (ISMS) 7
A ISMS implementation - ISO 27001: 2013 Company Objectives IEC 27001 - Information Security Management Systems (ISMS) 1
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
P Recommended books on ISO 27001:2013 Implementation and Internal Auditing IEC 27001 - Information Security Management Systems (ISMS) 4
A Risk Register template as per ISO 27001:2013 wanted IEC 27001 - Information Security Management Systems (ISMS) 9
Richard Regalado Sharing a Statement of Applicability (SOA) for ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 2
C ISO 27001:2013 ISMS Internal Audit Checklist/Questionnaire IEC 27001 - Information Security Management Systems (ISMS) 22
P ISO 27001:2013 Clause 4.1 and 4.2 Clarification and Guidance IEC 27001 - Information Security Management Systems (ISMS) 13
L Where to purchase ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 3
I ISO 27001:2013 Released - Transition Requirements? IEC 27001 - Information Security Management Systems (ISMS) 6
T ISO 27001 sample audit report IEC 27001 - Information Security Management Systems (ISMS) 0
M Choosing Auditors - ISO 9001 / ISO 27001 (UK) IEC 27001 - Information Security Management Systems (ISMS) 2
M ISO 27001 ISMS scope for companies with subsidiaries IEC 27001 - Information Security Management Systems (ISMS) 0
P Relevance of Offsite backups process compliance and ISO 27001 certification. IEC 27001 - Information Security Management Systems (ISMS) 3
P Why does the standard clause use the term Issues in place of Context - ISO 27001 4.1 IEC 27001 - Information Security Management Systems (ISMS) 3
P What is the exact difference between Risk and Opportunity in context of ISO 27001? IEC 27001 - Information Security Management Systems (ISMS) 7
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
Le Chiffre Is ISO/IEC 27001 appropriate for most small businesses? IEC 27001 - Information Security Management Systems (ISMS) 2
A Policies Mandatory or essential for ISO 27001 implementation IEC 27001 - Information Security Management Systems (ISMS) 6
A ISO/IEC 27001 - Issue during implementation of system IEC 27001 - Information Security Management Systems (ISMS) 3
B Integrating ISO 9001/27001 External Audits - Audit Time Reduced? Discounts? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
K Risk Assessment Registry - ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 8
Richard Regalado ISO/IEC 27001:2016 Overview and Vocabulary - FREE! IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado ISO/IEC 27001 Mandatory Documentation Checklist IEC 27001 - Information Security Management Systems (ISMS) 1
A ISO 27001 function wise or department wise audit questionnaire with control & clauses IEC 27001 - Information Security Management Systems (ISMS) 3
S Sample document for integrated ISO 20000 & ISO 27001 Other ISO and International Standards and European Regulations 3
W What are the benefits of ISO 27001 for my IT Organization IEC 27001 - Information Security Management Systems (ISMS) 3
S Clarification in organizing required documents for ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 6
G ISO 27001 for a Hosting Provider IEC 27001 - Information Security Management Systems (ISMS) 3
W Working in a company where we try to implement ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 9
L Implementing ISO 27001 A12.1.1 Security Requirements Analysis and Specification IEC 27001 - Information Security Management Systems (ISMS) 2
J ISO 27001 - Business Continuity Event Simulation Testing Business Continuity & Resiliency Planning (BCRP) 8
R Required artifacts (records) for ISO 27001 Auditing IEC 27001 - Information Security Management Systems (ISMS) 9
P What are the benefits of certified ISMS for ISO 27001 standard? IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado DRAFT ISO/IEC 27001:201? ISMS Requirements (Open for Comments!) IEC 27001 - Information Security Management Systems (ISMS) 0
R ISO 27001 A.8.2.2 Information Security Awareness, Education and Training IEC 27001 - Information Security Management Systems (ISMS) 10
A Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 8
K Information Classification Labeling - ISO/IEC 27001:2005 Labeling Requirements IEC 27001 - Information Security Management Systems (ISMS) 1
L Time Required to Implement ISO 27001 if ISO 9001 certified & SOX compliant? IEC 27001 - Information Security Management Systems (ISMS) 3
G Customer Property Cl. 7.5.4 - Where does ISO 9001 stop and ISO 27001 start? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 33
T ISO/IEC 27001 to ISO/IEC 12207 Mapping - Cross Reference Matrix IEC 27001 - Information Security Management Systems (ISMS) 2
T Person in charge's role or responsibility in ISMS? ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado A.15 Compliance - One of the grey areas of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 7
S Checklist for ISO 27001 ISMS Internal Audit IEC 27001 - Information Security Management Systems (ISMS) 2
G ISO 27001 Corrective Action Document Requirements IEC 27001 - Information Security Management Systems (ISMS) 10
S Security Gap Assessment Methodology based on ISO 27001 or COBIT IEC 27001 - Information Security Management Systems (ISMS) 1
Richard Regalado ISMS Asset Identification Process - Clause 4.2.1.d.1 of ISO/IEC 27001 IEC 27001 - Information Security Management Systems (ISMS) 4
Richard Regalado ISO 27001 A.10.4.1 - Detecting, Preventing and Recovering from Malicious Code Threats IEC 27001 - Information Security Management Systems (ISMS) 3
P ISO 27001 Information IEC 27001 - Information Security Management Systems (ISMS) 8
Richard Regalado ISO 27001 Statement of Applicability and Some of my Thoughts IEC 27001 - Information Security Management Systems (ISMS) 4

Similar threads

Top Bottom