Search the Elsmar Cove!
**Search ALL of Elsmar.com** with DuckDuckGo Especially for content not in the forum
Such as files in the Cove "Members" Directory
Social Distancing - It's not just YOUR life - It's ALL of OUR lives!
Me <——————— 6 Feet ———————-> You

Why does the standard clause use the term Issues in place of Context - ISO 27001 4.1

patkim

Registered Visitor
#1
Hi,
ISO 27001 2013 states about Understanding the organization and its context. However the actual clause 4.1 expects that the organization shall determine the internal and external issues that affect its ability to achieve the intended outcomes.

Why does it refer to the term Issues in place of Context? An organizational context can be anything from aspects of the organization including its culture, governance, adopted management systems, contractual relationships, capabilities that are not necessarily issues but simply the current aspects that must be factored in before implementing ISMS. It can also be any issues that might prevent the organization from achieving its ISMS implementation or objectives.

So why does it refer to determining Issues in place of Context?
Thanks.
 

somashekar

Staff member
Super Moderator
#2
While context is the accepted and well understood environment of the organization and its operations, which could remain stable over reasonable time., issues are conflicts that affects the organization's abilities to achieve the intended outcome within its context.
You make take several examples...
While employee participation and safety is to context, an employee union at times can be an issue. An internal issue...and likewise.
 
Last edited:
#3
Hi,
ISO 27001 2013 states about Understanding the organization and its context. However the actual clause 4.1 expects that the organization shall determine the internal and external issues that affect its ability to achieve the intended outcomes.

Why does it refer to the term Issues in place of Context? An organizational context can be anything from aspects of the organization including its culture, governance, adopted management systems, contractual relationships, capabilities that are not necessarily issues but simply the current aspects that must be factored in before implementing ISMS. It can also be any issues that might prevent the organization from achieving its ISMS implementation or objectives.

So why does it refer to determining Issues in place of Context?
Thanks.
In addition to what Somashekar has rightly pointed out, I believe it is also worth considering the fact that the standard deals with Information Security and - if I remember correctly - since the first draft of the standard we talked about issues. This is because the environment in which information security operates is an environment where issues are the order of the day and where the context is made up of daily problems, attacks and countermeasures to contain them and try to protect their information
Have a nice day
 
#4
The context is trying to get the organization (top management) to look at what is going on, internally and externally, that may impact on the ability of the ISMS to be effective. For example, Google may soon have a wearable device which functions like Alexa and can access an organization's information. It may be able to "read" (out loud) to the wearer. How might that impact risks on information security? Doing a SWOT analysis (or PESTLE or similar) is a way to look at this - in terms of risks and opportunities.
 
Top Bottom