ISO 27001:2013 - How to document Context Of the Organization

[saravanan_g]

Hi,

The scope of my Organizations ISMS is restricted to IT department. The IT Department provide IT services including application development, application support, desktop support to other departments.

How to determine external and internal issues of IT department

Who could be be interested parties and

What could be their requirements

Any practical example will be highly appreciated

 

[Colin]

In my opinion the context of the organisation and the scope statements are closely linked so I think you have a good start point in what you have written in your post. It is about who you are as a company and what you do.

Other things to consider would be how critical your services are to your customers e.g. if you were providing IT support for a major airport it would be a different system than if you were providing support to a local recruitment agency. In other words, what are the risks associated with failure.

From that, you should be able to work out who your interested parties are. Hope it helps but do ask further if you need to.

 

[Richard Regalado]

I approach external and internal issues by thinking what are the things that matter to or affects the organization in relation to information security. These things I normally classify into 3 main categories:

1. legal and regulatory requirements (external) - consisting of legislation that the organization needs to adhere to such as intellectual property rights law, data privacy legislation, etc.

2. contractual obligations - requirements coming from the customers normally stated into contract documents or SLAs.

3. your own business requirements - not coming from the government or regulators or your customers but your own requirement e.g. securing the front door of the office. Is this required by law or the customers? Maybe not. But you have it to secure your premises.

Start from the above. List down all the things that matter and affects your organization. These are your external and internal issues. After completing your risk assessment, you may revisit the list and add certain threats and vulnerabilities to your list.

Benchmark your list to the identified scope. It could be the case that the Operations department is more at risk than the IT department. You may want to upgrade your scope.

Let me know if you need more help.

Happy Christmas!

Richard

 

[saravanan_g]

Thanks for your valuable suggestions.

My Management doesn't want to widen the scope to other departments. They dont want to change the scope

and ill give u a actual scenario below

My Company is a Insurance Company and has many insurance departments and group entities. It provides insurances (life, medical, vehicle etc) to customers



We (centralized IT and MIS Department) provide IT services to all departments and groups. The Services include

o Application & Database Support (insurance application development and support)
o Security Administration & Management (Desktop support, firewalls and servers)
o E-Commerce Service
o IT Helpdesk

Now the scope is

"Management of Information Security for the IT Infrastructure and Service relating to all support Services as well as protecting the confidentiality, integrity and availability of customer's data."

 

[saravanan_g]

All the insurance data is stored in the datacentre and the opertaions department wont have usb access, internet access etc. They are saving their data in the file server

 

[Richard Regalado]

Saravanan, it seems that you are going through the updated requirements (i.e., context of the organization) of ISO/IEC 27001:2013 just for the sake of doing it. The organization already made its decision regarding the scope regardless of the outcome of determining both external and internal issues.

Is it only the IT department who has access to sensitive (i.e., personal, financial) information? I doubt this. IT department may keep the information but they do not know the "value" of the information. The various operational units involved in day-to-day transactions and discussions with your customers are more exposed to sensitive information. Information such as cost of insurance premiums, beneficiaries, addresses, phone numbers, next of kin, etc. These information are beyond IT's understanding and grasp. You may be limiting the value of the ISMS to your organization.

Who vouched for the controls you have implemented? Did you include other business units? Are the operational units involved in deciding that you need to curtail USB access?

At any rate, good luck in your upgrade. I hope you use ISO/IEC 27001 the way it is intended to be used.

Not all information you need to protect are stored in the IT department.

 

[Reg Morrison]

Is it only the IT department who has access to sensitive (i.e., personal, financial) information? I doubt this. IT department may keep the information but they do not know the "value" of the information.
Not all information you need to protect are stored in the IT department.

Well said Richard. Unfortunately one of the British ISMS registrars has been agreeing to certify only IT departments of large organizations to ISO 27001. Why do they do it? To make the sale easier. But it is so short sighted; after all, the recent hack on Sony happened company-wide.

To certify only the IT department to ISO 27001 is akin to certify only the QA department of a company to ISO 9001. It does not make any sense whatsoever, but that registrar does not care, as long as the sales keep coming.

 

[AndyN]

Saravanan, it seems that you are going through the updated requirements (i.e., context of the organization) of ISO/IEC 27001:2013 just for the sake of doing it. The organization already made its decision regarding the scope regardless of the outcome of determining both external and internal issues.

Is it only the IT department who has access to sensitive (i.e., personal, financial) information? I doubt this. IT department may keep the information but they do not know the "value" of the information. The various operational units involved in day-to-day transactions and discussions with your customers are more exposed to sensitive information. Information such as cost of insurance premiums, beneficiaries, addresses, phone numbers, next of kin, etc. These information are beyond IT's understanding and grasp. You may be limiting the value of the ISMS to your organization.

Who vouched for the controls you have implemented? Did you include other business units? Are the operational units involved in deciding that you need to curtail USB access?

At any rate, good luck in your upgrade. I hope you use ISO/IEC 27001 the way it is intended to be used.

Not all information you need to protect are stored in the IT department.

Isn't it also true, Richard, to say that the ISMS is "scalable" and, once the basics are put in place to control the most significant proportion of information which needs securing, the ISMS - and hence the certification - can also be increased in scope, as the risk assessment determines? From my experience, although information security certainly ISN'T only the IT function, the risk assessment is going to drive what controls are applied and where - correct? From what I've understood to be true, it's NOT comparable to the QMS which really has to apply to the broadest sense of an organization, since it's what they do for a customer...

 

[Richard Regalado]

Andy N, ISMS, EMS, HSMS, FSMS are all scalable. The ISO standards have given much leeway to the organizations to decide which risks are "fair game". The onus is now on the top management. Do they want a certificate on the wall or an honest to goodness management system encompassing the things that matter.

With regards to the current topic, the topic starter intimated that top management has no intention on rethinking the scope regardless of the output of the determination of internal and external issues. For me that's somewhat a myopic point of view if risks to the CIA of information assets needs to be managed in a structured manner by looking at the exposures from a 360-degree perspective.

 

[Richard Regalado]

Well said Richard. Unfortunately one of the British ISMS registrars has been agreeing to certify only IT departments of large organizations to ISO 27001. Why do they do it? To make the sale easier. But it is so short sighted; after all, the recent hack on Sony happened company-wide.

To certify only the IT department to ISO 27001 is akin to certify only the QA department of a company to ISO 9001. It does not make any sense whatsoever, but that registrar does not care, as long as the sales keep coming.

Thanks for dropping by Reg.

Just want to confirm that in my neck of the woods, the Germans (all 3 of them), the Swiss, the Norwegians are doing it as well. Truth be told, it is a nice and easy way to start implementing the ISMS, both in efforts and $$$, but should not be an end. Once must not get to comfy with such a limited scope.