The clause 4.1 of the standard requires identifying the internal & external issues of an organization. But the standard doesn’t tell how to perform the same. The simplest way is to list down all the internal & external issues. But this may not be exhaustive as there are likely chances that we miss some of them. Hence, it is always recommended to go by a structured approach. The two possible approaches from my viewpoint are;
- Mind maps: Create a mind map that depicts the various internal & external issues. For creating the mind map, you may discuss the internal & external issues with all the relevant stake holders, try to get as much possible information as you can. You may also refer the information diagram developed. While performing the activity keep the internal & external context in mind & try to relate the inputs to them. Once the mind map is developed, you can tabulate the same.
- SWOT & PESTLE Analysis : You can do a SWOT (Strength, Weakness, Opportunities & Threat) for finding the internal issues and PESTLE (Political , Economic, Social, Technological, Legal, Environmental) for finding the external issues
While identifying the internal & external issues, I recommend doing it at an organizational level considering the organization as a whole, although our focus is to find the issues that can affect the information security management system. Once the issues are identified you may pick those relevant to information security. This activity will also give inputs to your risk assessment as some of the issues identified will have to be mitigated during your risk assessment.