ISO 27001 Information Security Management Standard - Clause 4.1, 4.2, 4.3, 4.4

Posted by Craig Thornton

Part 13: Clauses 4.1, 4.2, 4.3 and 4.4 - context, interested parties, scope, ISMS

When looking to meet clauses 4.1 through to 4.4 you really should start at clause 4.2.  Then move onto clause 4.1.  Then work on 4.4 and then finally tackle clause 4.3.  These clause work as a group with each clause linked to the others.

However, just don’t jump in boots and all. Meeting these clauses requires really great planning with your Top Management’s involvement.  You must determine who will participate in this process, where the process will take place, and what data is necessary.

Here at Mango, we devoted a whole day discussing and understanding clauses 4.2 and 4.1.  So that there were few distractions, we worked off site and banned the use of cell phones.

businessman hand draws gear to success concept.jpeg

4.2 Understanding the needs and expectations of interested parties

Firstly, we brainstormed and listed who were our interested parties. 

At Mango we defined interested parties as those organisations or people who influence our operation and those that are affected by our operation.  For sure this can be quite a list but it is a really good exercise.  

For Mango these included customers, employees, partners, suppliers, contractors, government, local councils, registrars and the general public.

Next we debated how each party has an impact or could have an impact on our information security management system (ISMS) on us and our product. 

Finally we documented each of their needs and expectations on a simple spreadsheet.

4.1 Understanding the organization and its context

Now that we have our interested parties as a starting point we then debated the context of the organisation (clause 4.1).  

We have used a Brand Compass for years that describes our vision, our mission and our values.  The compasses cover:

  • Our core promise
  • Our values
  • Our unique buying proposition
  • The benefits of using Mango
  • What customer insight we have
  • What our target market is
  • What brand anchors we use
  • How we will behave

We then fleshed this out some more with a SWOT analysis.  This analysis is a review of our strengths and our weaknesses, as well as the opportunities and threats to the business.

This analysis helps us understand the business environment we operate in.  Included in this we identified internal and external issues, both positive and negative, that could have an impact on us in terms of information security.

Now we had a clear understanding of the context in how we operate and how that informs our information security management system.

4.4 Information security management system

Now that you have clauses 4.1 and 4.2 completed, you then should determine what the ISMS should look like and how it should be managed.

As we already had a quality management system in place that meets ISO 9001:2015, we decided that the ISMS would easily fit side-by-side with the QMS. Therefore the ISMS will integrate with the QMS to become our integrated management system (IMS).

We would rewrite many of our procedures to include information security but the overall structure will be unchanged from how it looked as a QMS.

4.3 Determining the scope of the information security management system

Now that we have documented 4.1, 4.2 and 4.4, we are now in a place to determine the scope of our QMS.

You need to take into account your whole organisation.  The statement of applicability was a great help here.  This determined what was in or out of the ISMS.

Takeaway

The steps to meeting clauses 4.1 to 4.4 of ISO 9001:2015 are:

  1. Determine the needs and expectations of your interested parties (4.2)
  2. Review your purpose, vision and mission with reference to your interested parties (4.1)
  3. Conduct a SWOT analysis (4.1).
  4. Sketch out your ISMS and document as you go along(4.4).
  5. Determine the scope of the ISMS (4.3).

 

Integrated_Management_System_manuel.jpg

 

View previous blogs in this series "ISO 27001 Information Security Management Standard":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security 

ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security

ISO 27001 Information Security Management Standard: Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values

ISO 27001 Information Security Management Standard: Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

ISO 27001 Information Security Management Standard: Principle 7 - Security incorporated as an essential element of information networks and systems

ISO 27001 Information Security Management Standard: Principle 8 - Active prevention and detection of information security incidents

ISO 27001 Information Security Management Standard: Principle 9 - Ensuring a comprehensive approach to information security management 

 ISO 27001 Information Security Management Standard: Principle 10 - Continual reassessment of information security and making of modifications as appropriate

ISO 27001 Information Security Management Standard: Principle 11 - Clauses 0, 0.1, 0.2, 1, 2 and 3 of ISO 27001:2013

Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification