How to start with Context of the Organization in ISO 27001:2013 ?

One of the key changes in 2013 version is that, the standard  urges to understand the organization before defining the scope of the information security management system. This is referred to as Context of the organization in Clause 4. Perhaps this is the most relevant change that was required for implementing the standard from a real sense.But there are always confusions on how to tackle this requirement. The best approach from my viewpoint to start with is

  1. Initial Discussion: Have a discussion with a stakeholder(s) who has an overall idea on the entire organization. You should be very particular in selecting the person, a resource with a fair understanding of the processes and has an overall idea of the organization will be the best choice
  2. Information Flow Diagram: The next step is to create an Information Flow Diagram. The Flow Diagram should clearly depict the departments/entities along with the flow of the data.

The advantages of this approach are

  1. The entire organization is covered & it is very unlikely that we miss any functions/process/department
  2. There will be more clarity on the scope that needs to be defined
  3. This can also give inputs to the Risk Assessment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s