One of the key changes in 2013 version is that, the standard urges to understand the organization before defining the scope of the information security management system. This is referred to as Context of the organization in Clause 4. Perhaps this is the most relevant change that was required for implementing the standard from a real sense.But there are always confusions on how to tackle this requirement. The best approach from my viewpoint to start with is
- Initial Discussion: Have a discussion with a stakeholder(s) who has an overall idea on the entire organization. You should be very particular in selecting the person, a resource with a fair understanding of the processes and has an overall idea of the organization will be the best choice
- Information Flow Diagram: The next step is to create an Information Flow Diagram. The Flow Diagram should clearly depict the departments/entities along with the flow of the data.
The advantages of this approach are
- The entire organization is covered & it is very unlikely that we miss any functions/process/department
- There will be more clarity on the scope that needs to be defined
- This can also give inputs to the Risk Assessment