Open in app

Sign in

Write

Sign in

ISO 270001: Breaking Down Clause 4.1 and 4.2

Umar Farouk
7 min readSep 21, 2023

--

Hey guys!! Due to popular demand, I’ll be guiding you on how to tailor and implement the ISO 27001 standard to organizations and businesses. Over the next few weeks, you will be exposed to real-life scenarios, and questions I have asked to make the work possible. So, let’s start with the first set of process to implement.

Clause 4.1: Understanding Organization and its context.

So, the clause reads “The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.” As per ISO 31000, clause 5.3.1, these issues are of two types.

  • Internal Context/Factors
  • External Context/Factors

I want you to consider the reason the organization exists, what are their objectives? What are their values? What is the vision? What is the mission? How many staff do you have? The questions from the previous sentence are some of what you would call “internal context”. They are determined and controlled by the organization, right?

Internal context are all factors that are within the control of the organization. The parameters considered here are very similar to those considered when managing risk, and they would greatly aid in you setting your scope and criteria for your risk work. These include:

  • Organization Structure (Hierarchy, roles and responsibilities)
  • Organization culture (vision, mission and values)
  • Available resources (Human, tech, financial)

So, all questions to be asked concerning the internal context of an organization would revolve around the people, processes and technology within your organizations control.

For our external context, they are factors that could potentially aid or hinder the organization but are out of your control. From an implementation point of view, it is essential to identify the legal and regulatory landscape as it affects the organization.

It should also be noted that the political landscape, relevant government policy changes and bill passing is important for your organization, this is because your policies and compliance goals would be affected by them. The ever-evolving technological landscape is also something to follow as new tech brings new risks, threats and also solutions.

Let’s cook up a scenario!

Let’s consider the scenario involving a Nigerian financial institution, “APT Bank,” that seeks to implement an ISMS using the ISO 27001 Standard:

Internal Context: APT Bank would need to analyze its internal context. This would involve identifying factors within the organization that influence its information security that can be controlled. These would include:

  • Organizational Structure: APT Bank’s organogram must be drawn showing hierarchy, departments, and reporting lines. This would impact how information security measures are implemented and monitored, create accountability and establish roles, responsibilities and expectations.
  • Company Culture: The culture of prioritizing security and compliance within the organization is a critical internal factor. This culture will be determined and enforced by top management. If employees are not well-trained or lack awareness of security practices, it could pose an array of risks.
  • Technology Architecture: Understanding the internal technology such as the networks, servers, and software, is crucial for assessing potential vulnerabilities and risks. Having an asset of the technology will enable you track their use, maintenance and lifecycle. In essence you can only protect what you know you have.

External Context: On the other hand, APT Bank would also need to assess its external context, this would involve the factors beyond its immediate control. Some of the factors include:

  • Regulatory Environment: Nigerian banking laws and regulations regarding data protection and cybersecurity are vital external factors that influence APT Bank’s information security practices. Some of them are the Banks and Other Financial Institutions Act, The Companies and Allied Matters Act and The Nigerian Deposit Insurance Corporation Act.
  • Competitive Landscape: Understanding what other banks in Nigeria are doing in terms of security and whether they have experienced any recent breaches can provide insights into external threats.
  • Cybersecurity Trends: Monitoring global trends in cyber threats, such as new attack techniques or emerging vulnerabilities, is essential to stay ahead of potential risks, vulnerabilities and breaches.

Clause 4.2: Understanding the needs and expectations of interested parties.

The clause reads “The organization shall determine:

a) interested parties that are relevant to the information security management system.

b) the relevant requirements of these interested parties.

c) which of these requirements will be addressed through the information security management system.”

All interested parties are known as “stakeholders”. Stakeholders have a “stake” in your organization and affect or be affected by your organization in a number of ways, could be positive or negative and this is why they have to be catered for. They could include customers, employees, regulatory authorities, business partners, and other stakeholders.

Identifying your stakeholders' requirements will help you gain insights into their expectations, needs, and concerns related to information security. This understanding is essential for tailoring your ISMS to meet these requirements effectively.

The requirements and needs could come in form of financial needs, services, regulatory and legal needs, and strategy. Knowing these needs would help you satisfy them, and there’s a saying “Happy stakeholders, happy business” or was the saying about a happy wife?

Let’s make another scenario!

In this scenario, we will be observing an e-commerce company by the name “Luke’s Shop”, they want to implement an ISMS. They deal with customer data and would like to ensure secure online transactions. Let’s start by identify some stakeholders, shall we?

  1. Customers: Luke’s Shop primary stakeholder is its customer base. Customers would expect their personal and financial information to be secure when making purchases on the platform. They also expect a seamless and trustworthy online shopping experience.
  2. Regulatory Authorities: All organizations and businesses that handle customer data are expected to comply with the Nigeria Data Protection Regulation (NDPR). Non-compliance to the NDPR would impact Luke’s Shop negatively so staying in compliance is a good business decision.
  3. Payment Processors: Luke’s Shop partners with payment processors to facilitate online payments. Payment processors are interested in the security of transactions and expect Luke’s Shop to meet industry standards to prevent fraud and breaches. Payment processors like “Paystack” would not want to sign an SLE with a business that doesn't comply with regulations like PCI DSS as they relate to payment information.
  4. Business Partners: Luke’s Shop collaborates with various suppliers and logistics companies. These partners have expectations regarding the security of their data when interacting with Luke’s Shop systems. Once again, an enterprise like “GIG Logistics” would not want to be associated with a business that cannot secure their data.

Analysis: Luke’s Shop must thoroughly understand the needs and expectations of these interested parties to develop an effective ISMS:

  • Customers: To meet customer expectations, Luke’s Shop should implement robust security measures such as encryption, secure payment gateways, and regular security audits. They also provide clear privacy policies and offer customer support for security-related concerns.
  • Regulatory Authorities: Luke’s Shop should ensure compliance with NDPR and regularly communicate with authorities to demonstrate their commitment to data security.
  • Payment Processors: Luke’s Shop collaborates closely with payment processors to ensure secure transactions. They follow industry standards such as Payment Card Industry Data Security Standard (PCI DSS) to meet the expectations of these partners and get the certification to demonstrate their ongoing efforts to stay in compliance.
  • Business Partners: Luke’s Shop should maintain a transparent approach to security and shares relevant security policies and practices with business partners to assure them of data protection. Nobody would want to invest in a business that have not covered their internal security (people, processes and technology).

By understanding and meeting the needs and expectations of these interested parties, Luke’s Shop will build trust, reduce risks, and enhance its reputation in the e-commerce industry while effectively implementing its ISMS.

Conclusion…

The ISO 27001 Standard has many more clauses that we will look at as the series goes on. I hope to have you on this journey as we break the veil on one of the most sought-after standards today.

I hope you have found value in today’s article, consider subscribing and following me on my socials. If you need any of the documents used in this demo, I am a DM away.

Cybersecurity
Compliance
Information Security
Blog
Artificial Intelligence

--

--

Umar Farouk

Written by Umar Farouk

333 Followers

Welcome! I am an aspiring cybersecurity leader. I love writing about GRC and Information Security. Don't forget to subscribe and clap to support my writing.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams