Context Of The Organisation (Section 4)

4.1 - Understanding the Organisation & Its Context

The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

NOTE: determining these issues refers to establishing the external and internal context of the organisation.

This section relates to understanding the 'what' of the organisation - what does it do? The ISMS always exists within the context of an organisation. It includes requirements for the assessment and treatment of security risks tailored to the organisation.

4.2 - Understanding The Needs And Expectations of Interested Parties.

The organisation shall determine:

• Interested parties that are relevant to the information security management system.

Who are the stakeholders, internal and external?

• The requirements of these interested parties relevant to information security.

NOTE: the requirements of interested parties may include legal and regulatory requirements and contractual obligations.

This section relates to understanding the 'who' - who are the relevant stakeholders, and what are there relationships to the organisation? Then what are their requirements for information security? These are then the requirements for the ISMS.

4.3 - Determining the Scope of the ISMS

The organisation shall determine the boundaries and applicability of the ISMS to establish its scope.

When determining scope, the organisation shall consider:

• The external and internal issues referred to in [4.1]
• The requirements referred to in [4.2], and
• Interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations.

The scope shall be available as documented information.

Although we could apply the ISMS to the entire organisation, more often than not it is applied to a subsection of the organisation.