Context refers to the set of factors internal and external to the organization that may be influential in the security of ISO 27001 information
It lists the factors that affect information security (risk awareness, the state of the technology used, the available budget) and documents the dynamics of this influence. Then list the stakeholders and their needs
Following the article you will be able to develop an effective context analysis as required in point 4 of ISO 27001:2017. It only takes 4 simple steps and you will get an effective document from which you will start to identify the dangers and assess the risks to the security of the information.
Bring together the working group (top management, process managers, IT managers, system administrator, information security management system manager, etc.) and do the following:
- Identify factors that affect safety
The factors that are known to influence information security within an organization are as follows:
- Awareness of risks by people
- Risk awareness by top management
- Training of people in the field of information security and cybersecurity
- Technological evolution of the security sector in information management
- Technological adequacy of devices for physical and logical data protection
- Available budget to be used in information security investments
2. Describe the influence exerted by the factor
For each factor identified, explain the influence on your organization in relation to information security, as in the following examples:
DENONAME OF THE FACTOR: Awareness of risks by people
Description of the flu:
No technological solution can make up for wrong behaviors (induced or voluntary), just as no technology will be able to resist an attack of Social Engineering (well structured and prepared). The organization believes that working on people, behaviors and habits can give greater security to the effectiveness of the controls put in place to avoid risks to information.
The awareness of the risks on the part of the people who preside over the operation of the controls assumes such an incidence that the organization believes that security is not necessarily “system-centric” but also (and increasingly) “person-centric”.
Very expensive investments for safety in cutting-edge technological infrastructures can be easily bypassed by dangerous behaviors dictated by the wrong perception of risk but also by behaviors conditioned by ambition at work, by the fear of the hierarchical superior, by the need for affirmation, etc.
NAME OF THE FACTOR: Risk awareness by top management
Description of the flu:
Per l’alta direzione è fondamentale essere consapevole dei rischi per la sicurezza delle informazioni in quanto il funzionamento efficace del sistema di gestione rientra tra le sue responsabilità. Tale
It is essential for senior management to be aware of the risks to information security as the effective functioning of the management system is one of its responsibilities. This awareness must also cover the risks arising from the behaviour of its employees and consultants. The awareness of the risks on the part of the top management has a significant impact on the authorization or delegation powers that the top management attributes to its staff.
The management’s awareness refers to the relative awareness regarding impacts and effects in the event of compromise of information, including any legal consequences
3. Interested parties
a. Identify stakeholders
By way of example, stakeholders and their needs that affect the organisation’s ability to achieve the expected results for its information security management system are as follows:
- Customers
- Corporate structure/owner of the organization
- Investors
- People of the organization
b. Describe the needs and expectations of stakeholders that may affect information security
As with contextual factors, the organization must also understand and document the relevant needs that may affect information security management for each of the stakeholders. Here are some examples:
NAME OF THE INTERESTED PARTY: Customers
Needs, expectations and potential effects on the capacity of the organization
L’esigenza dei clienti è quella di poter contare sulla sicurezza dei propri dati che vengono forniti all’organizzazione per poter essere analizzati. L’esigenza di sicurezza riguarda soprattutto la
The need of customers is to be able to count on the security of their data that are provided to the organization in order to be analyzed. The need for security concerns above all confidentiality because, if such data were to accidentally or voluntarily be disseminated and come into the possession of competing companies, the customer could suffer significant economic prejudices including the loss of market share.
The customer’s need for the confidentiality of his organization’s data has a profound impact on the choices of investments in new technologies by the organization which, in terms of confidentiality, makes a performance factor of its service.
NAMING OF THE INTERESTED PARTY: Corporate structure/owner of the organization
Needs, expectations and potential effects on the organization’s capabilities
The owners of the organization are interested in protecting information related to their data analysis processes from disclosure. Such information, like that of the client, if it came into the possession of competing companies, could undermine business continuity and compromise the relationship that the organization maintains with its market segment. Data analysis algorithms and procedures must also be protected from events that can compromise their integrity. The organization adopts the management system for information security, applying all the controls provided for by ISO 27001: 2017 to protect its know-how that represents the true capital of the organization.
The analysis of the context of the organization will facilitate the identification of dangers to the security of information and the preparation of the necessary controls to avoid the risks of loss of confidentiality, integrity and availability.
