As I’ve already described, ISO27001 is composed of a series of clauses, which are largely common to all the ISO standards, and an annex of suggested controls that can be used to reduce your risks.
If you want to write an Information Security Management System let’s start at the beginning with clause 4. Why clause 4, not clause 1, because that’s the way the ISO roll baby. Clause 1 sets out the scope of the standard, clause 2 is a bit of blurb that I can’t even start to summarise and clause 3 gives some links to terms and definitions.
Clause 4 is known as the Context clause. It’s where you identify where your organisation sits in the world, who it interacts with and the scope of the ISMS.
4.1 – Understanding the organisation and its context.
The standards asks you to identify internal and external factors that affect it. The classic ways of doing this is to do a SWOT analysis which makes you think of the organisations Strengths and Weaknesses, the Opportunities the organisation has to grow or improve and the Threats to the organisation.
An example, from the top of my head, could be:
Strengths – Good reputation, good technology, skilled people
Weaknesses – Understaffed, limited geographical spread, lack of skills in some areas
Opportunities – Export, take over a competitor, marketing
Threats – New technologies making product out of date, staff being poached, bigger company moving into market
You can also do a PESTLE analysis, which stands for Political, Economic, Social, Technological, Legal and Environmental, and is a way of identifying issues that could affect you.
Again, some examples:
Political – Change of government, UK’s ascension to the PPTPTP, or what ever its called.
Economic – High interest rates and high inflation making people less willing to spend money
Social – Shortage of skilled staff, hybrid working, Millennials not sticking at jobs, Generation X taking early retirement
Technological – AI, Cloud computing
Legal – Numerous laws coming in
Environmental – CO2 and methane emissions being measured, poor water quality, recycling
This isn’t essential but you do need to do something to say what your organisation does and how it relates to the market.
4.2 – Understanding the needs and expectations of interested parties
This is saying who will benefit from you having an ISMS, how and why.
The easiest way to do this is to have a table with three columns. As I have no idea how to do that in WordPress I’ll have to do this crudely…
Interested party – Shareholders
Requirement – Data is held securely, profitable company, no fines from the ICO
Which will be addressed by the ISMS – Secure data, no fines
Other stakeholders could include – staff, customers, suppliers, landlord, neighbours. The list goes on depending on the sort of organisation you are working for. Some people include hackers/bad actors as interested parties.
4.3 – Scope
You need a pithy, one or two line statement that summarises what your company does. You then need to set boundaries. What does your ISMS apply to? You probably can’t force your suppliers to follow your processes so you need to say which premises it applies to and which systems. Your ISMS might be amazing but it doesn’t apply to the whole world so say where it does apply.
The scope shall be available as documented information. This is a non-negotiable. You need to have a scope.
4.4 – Information Security Management System
This says that to have ISO27001 you need an ISMS that you are maintaining and improving. The ISMS is so much more than a series of policies. You need policies, some procedures, logs and registers as well as awareness courses and anything else that’s going to help you.
Ok, so that’s clause 4. Its saying you have to have an idea what your organisation does before you can go any further.
The next clause is Clause 5, leadership so join me on that page next.
Recent Comments