Before embarking on the development and implementation of an ISMS, it is important to understand your organisation, its context and purpose, its organisational structure and how it works and operates. This includes consideration of the issues, both internal and external, that are relevant to the organisation’s purpose and business objectives and that could influence the ISMS outcomes that the organisation intends to achieve. One important factor in this respect is the issues that could pose an information security risk to the organisation’s business objectives, purpose, information and information systems. It is also important to understand the organisation’s risk culture and appetite in order to properly design, implement and integrate the ISMS within the organisation.
For the ISMS to be effective, appropriateand suitable to meet the organisation’s objectives and purpose, it needs to determine the risks and opportunities. To achieve an accurate measure of what these risks are, the relevant internal and external issues and the requirement to be addressed in Section 3.1.2 needs to be identified and considered. This means for the ISMS to effectively manage these risks its design and implementation shall take account of these issues, relevant information security requirements and be “at one,” in harmony, in sync with the context and business environment of the organisation. We shall in Chapter 4 address the requirements of ISO/IEC 27001 regarding risk management.
Understanding the business and its context is essential to enable the
ISMS to work with and be embedded in the organisation and not function as a separate entity. This is important since the ISMS should be a business enabler, adding value to the business and minimizing the information security risks to help maximize its business opportunities.
Internal Issues and Context
All those internal issues and dependencies relevant to the purpose and objectives of the organisation achieving an effective ISMS need to be identified and taken into account. For example, the organisation needs to ask and consider if there may be internal standards, policies and procedures related to business processes or the management of operations and resources that are relevant. These may be issues, restrictions and dependencies that the ISMS needs to take into account when considering the information security risks and the implementation of controls for treating these risks. For example,
restrictions on the type of technology that can be deployed because of internal procurement policy or a dependency from another department or business unit for a specific support or resource.
There may be internal IT infrastructure issues that may impact ISMS
performance and effectiveness; again, these issues need to be taken into account in the ISMS risk assessment and treatment. The organisation may operate with internal service contracts between business units, and these may specify service delivery and availability issues and dependencies that the ISMS would need to address. There may be specific issues related to the internal workforce regarding organisation culture, dependencies on capabilities and competence of individuals for specific roles and awareness issues.
Understanding the internal environment is especially relevant in order to appropriately address the ISMS risks. There are internal issues and dependencies that have an impact on the implementation of the ISMS but also the ISMS itself will have a direct impact on business operations. Therefore, the better informed we are of what issues and dependencies are involved in the organisation’s working environment and their effect on implementing an ISMS, the better the risk assessment and the better the decision making will be at arriving at the most effective way to treat the risks. Good risk decision making, the type and level of risk control needed and the cost and benefits of implementing these controls depends on good information being available and duly considered during the risk management process. Of course, this also applies to the external business environment in which the organisation operates.
External Issues and Context
All those external issues and dependencies relevant to the purpose and objectives of the organisation’s ISMS need also to be identified and taken into account. This includes the following areas of risk and business dependency:
External organisations relationships:
- Customers, clients, consumers;
- Business partners;
- Supply chains;
- Service providers;
- IT vendors.
External business processes;
- External workforce
- infrastructure elements.
- Market conditions and competition;
- New laws and regulations;
Dependency on outside resources, services and infrastructure can all
have a negative impact on the organisation if, for example, there is an incident that causes disruption to the supply of these resources and services or results in damage to the infrastructure. Failures or interruptions, for example,
in energy supply, telecommunication services or transportation services
can have a major impact on organisations.
Those organisations supplying such resources and services are of course responsible for managing their own information and IT security risks. It is, however, the responsibility of the organisation availing itself such external resources and services to identify external risks in order to be able to appropriately manage their own business risks. This is why it is important to understand the organisation’s activities, operations and processes and to identify the external issues and dependencies to be able to properly manage its risks. The more well-informed the organisation is about these issues the better able it is to make decisions of how to treat and manage its risks due to external dependencies.
Audit Expertise Comptable LLC is a premium Auditing, Consulting and Training firm involved in coaching, assisting and auditing, facilities to be certified to international standards. AEC will make sure that all changes to regulatory requirements are communicated to manufacturers during consultation and that documentation change requirements are fully met. Over 25 years the firm has been engaged in this business and has helped over 700 facilities in achieving their certification goals. AEC has a disciplined 10 Step path towards certification which is insensitive to failure. AEC has helped organizations to get certified not only ISO 13485 but also to several other International Standards such as ISO 9001, ISO 14001, ISO 27001, ISO 50001, ISO 45001 and sector specific standards such as, IATF 16949:2016, AS 9100 D, TL 9000, FSSC 22000:2018, SQF edition 8. BRC-8 IFS in food safety and many more. Please visit our website https://aeciso.com or contact for immediate assistance e mail: firstname.lastname@example.org