ISO 27001 Information Security -  Clause 4.1 Understanding the organization and its context

Clause 4.1 Understanding the context

11 April 2022 - ISO 27001 Information Security in plain English - Blog post #1.

In order to plan a management system, we need to need to first understand the internal and external factors that may affect the ability to achieve  objectives. A 'situational analysis' will help to understand the context in which an organization is operating.


ISO 27001 Information Security in plain English

Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard.  However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.

Understanding the organization and its context

In plain English, this requirement is to understand the factors that may affect the organization’s ability to achieve its information security objectives.

It’s worth adding a couple of explanatory notes here: Those factors could be external or internal to the organization. When combined, the factors are considered to be the context of the organization – the reality within which it operates.

At first, trying to understand the context of your organization might seem a daunting prospect. What factors that are relevant to your organization's purpose and strategic direction? Which of them have the ability to impact the ISMS (Information Security Management System) and its intended results? Where to start? What to include? As with many complex problems, the answer is to divide it into bite-sized pieces. Those internal and external factors may first be divided into a set of categories help identify them more easily. We can then assess their significance, and ultimately decide what to do about them. This approach may be referred to as a Situational Analysis or a PEST / SWOT analysis (for reasons that will become clear below).

External factors relate to your organizations' operating environment or market. and can be placed into categories such as:

  • Political.
  • Economic.
  • Social.
  • Technological.

Hence, the PEST acronym. This term is sometimes expanded to PESTEL or PESTLE where there is a desire to separately categorise Environmental and Legal factors. If keeping the categories to the simpler PEST model, Legal factors are often included in the Political category, and Environmental factors tend to be included in the Economic or Technological categories.

Internal factors might include:

  • Existing performance.
  • People.
  • Resources.
  • Business culture.

The categorisation of factors is only to assist in identifying and grouping them. There are no definite rules that you must adhere to.

Having identified relevant factors, the next step is to consider their possible impact on your ISMS. Internal factors are generally assessed as being either a Strength or a Weakness. External factors are generally assessed as being either an Opportunity or a Threat. Hence, the acronym SWOT analysis.

Usually, each item assessed would also be given a value of importance or influence.

The exercise of understanding the context of your organization should provide a solid foundation for the development of your ISMS. It should give you a clear idea of the issues you face, which will put you in a good position to plan and implement your ISMS.

Of course, the context of any organization will change over time. Therefore, it should be regularly monitored and reviewed. That may be achieved by including it as part of a wider management review activity (we’ll discuss management review in depth in a later blog).

Should this step be documented? Well, ISO 27001 does not specify any documentation requirements here, but consider the following:

  1. How would you go about building your understanding of the context of your organization?
  2. How would you monitor and review the changing context over time?
  3. How would you demonstrate the above to a certification auditor?

So, in our opinion, this is certainly a case where we would consider some documentation to be useful to both ensure compliance and to demonstrate it to others (such as to an auditor).

This clause is often addressed at the same time as clause 4.2 'Understanding the needs and expectations of interested parties' and that is the subject of the next blog in this series.

ISO 27001 Information Security in plain English

This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Click the LinkedIn Follow button below to receive notifications.

If you found this blog useful, please share it with a colleague or business associate.


Ready to start your journey to ISO 27001?

Qudos 3 IMS software includes a more in-depth version of this post, templates for your PEST / SWOT analysis, facilities to securely manage documents created, and tools to schedule and record reviews - with automated assignment and tracking of actions.

The first step to commencing a management system based on ISO 27001 is to conduct a gap analysis. We can provide a qualified, experience certification auditor to perform a Gap Analysis service for you.

Contact us today to discuss your needs!

Photo by Erin Doering on Unsplash