ISO/IEC 27001:2022 Clause 4:
Context of the Organization
Key Requirements:
- Determine, monitor and review external and internal issues
- Determine, monitor and review relevant interested parties
- Establish the information security management system scope
- Determine processes needed for the ISMS as well as their required inputs, expected outputs, sequence and interaction, resource needs, responsibilities, risks, and opportunities
When you are implementing your ISMS, the first step for ISO 27001 requirements is to thoughtfully align your business objectives and intent with the ISMS. This process is titled, “Context of the organization.” The context includes: defining influences of various factors on the organization and how they impact the ISMS; the culture of the company, objectives, goals, complexity of products, and the flow of processes and information. It also requires a reflection of the size of the organization, its markets, and how they define customers and other interested parties. It uses the context as a way to detect risks and opportunities and how it affects the ISMS.
Clause 4.1: Understanding the Organization and Its Context
The Clause 4.1 objective is for your organization to establish its context, nature of the business and identify strengths, weaknesses, threats and opportunities. This first step takes a “top-down” approach, allowing your organization to build an effective, business led ISMS. Through identifying the context, organizations are to assess both internal and external influences in formulating and implementing an information security management system. In addition to traditional customer, economic and competitive factors, it notes that these influences can include how laws, technical developments and even political/cultural/social changes might impact the mission of the organization.
Clause 4.2: Understanding the Needs and Expectations of Interested Parties
This requirement addresses the desires and demands of all parties that may have an interest in the organization and could impact its mission, and essentially influence its information security management system. You should also list out risks associated with stakeholders/interested parties. The standard asks that organizations seeking ISO 27001:2022 certification have an ongoing system for determining these interested parties and their requirements.
Note: In February of 2024, ISO published an amendment to Clause 4.1 and 4.2 to include climate change considerations.
- Learn more about ISO/IEC 27001:2022 Amendment 1: Climate action changes
Clause 4.3: Determining the Scope of the Information Security Management System
Clause 4.3 of ISO 27001:2022 is a critical step of the ISMS. Defining the scope tells stakeholders, including senior management, customers, auditors and staff, what areas of your business are covered by your ISMS. Ideally, you should be able to easily explain the scope of the ISMS so that auditors and new staff can easily comprehend what is and is not a part of the scope.
Clauses 4.1 and 4.2 should be completed before you address clause 4.3. This will help you identify the scope of your ISMS. When you are considering your ISMS it is important to remember that interested parties will have expectations and to address these expectations within the ISMS. Overall, the scope of the ISMS must be documented and centered around the organization’s supplied services and products.
Learn More: Information Security Management System Scope
Clause 4.4: Information Security Management System
Because the ISO 27001:2022 standard maintains the process approach found in other standards (such as ISO 9001:2015, etc.), clause 4.4 is easily addressed if you are doing everything else correctly. It requires understanding and control of the order of each phase in the ISMS processes and how one element affects another including:
- Measures used to gauge effectiveness
- How those measurements will be taken
- What criteria will be used to indicate success
- How to analyze the process so that it can be continuously optimized to better achieve its goals
A process is needed for determining what capabilities, support and investment will be needed and by what means this will be provided, including:
- Who will be assigned to execute each phase and how these people will be empowered
- Determining both what may threaten execution of the process, and what benefits may come from proper process execution
- Documenting and updating the process, if necessary, and making it available to all involved
Learn more about ISO 27001 Processes, Procedures and Work Instructions and what a process approach is.
Learn More: ISO 27001 Processes, Procedures and Work Instructions – What is a process approach?
Please note that certain text from the ISO 27001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.