Context of the Organisation for ISO 27001 Information Security

ISO 27001 Clause 4 - Context of the Organisation

Clause 4 is where the information security management system starts. It asks the organisation to look outward at the issues and parties that affect its information security, then turn those findings into a defined scope for the management system itself. The clause splits into four sub-clauses, each covered in its own article below.

Sub-clauses of ISO 27001 Clause 4

Clause 4.1 - Understanding the Organisation and Its Context requires the organisation to identify the internal and external issues that affect its ability to deliver the intended outcomes of the ISMS.

Clause 4.2 - Understanding the Needs and Expectations of Interested Parties requires the organisation to identify which interested parties are relevant to the ISMS and what their relevant requirements are, including legal, regulatory and contractual ones.

Clause 4.3 - Determining the Scope of the Information Security Management System requires the organisation to set out the boundaries and applicability of the ISMS as a documented scope statement.

Clause 4.4 - Information Security Management System requires the organisation to establish, implement, maintain and continually improve an ISMS that meets the requirements of the standard.