graphgrc

ISO 27001 - 4 - Context of the organization

4.1

Understanding the organization and its context

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

Mapped SCF controls

• CPL-01 - Statutory, Regulatory & Contractual Compliance
• GOV-09 - Define Control Objectives

4.2.a

Understanding the needs and expectations of interested parties, part a)

The organization shall determine: a) interested parties that are relevant to the information security management system.

Mapped SCF controls

• AST-01.2 - Stakeholder Identification & Involvement

4.2.b

Understanding the needs and expectations of interested parties, part b)

The organization shall determine: b) the relevant requirements of these interested parties. Note: the requirements of interested parties include legal and regulatory requirements and contractual obligations.

Mapped SCF controls

• GOV-09 - Define Control Objectives

4.2.c

Understanding the needs and expectations of interested parties, part c)

The organization shall determine: c) which of these requirements will be addressed through the information security managment system

Mapped SCF controls

• GOV-09 - Define Control Objectives

4.3.a

Determining the scope of the information security management system, part a)

The organization shall determine the boundaries and applicability of the information system management system to establish its scope. When determining this scope, the organization shall consider: the external and internal issues referred to in 4.1 The scope shall be available as documented information.

Mapped SCF controls

• CPL-01.2 - Compliance Scope

4.3.b

Determining the scope of the information security management system, part b)

The organization shall determine the boundaries and applicability of the information system management system to establish its scope. When determining this scope, the organization shall consider: the requirements referred to in 4.2. The scope shall be available as documented information.

Mapped SCF controls

• CPL-01.2 - Compliance Scope

4.3.c

Determining the scope of the information security management system, part c)

The organization shall determine the boundaries and applicability of the information system management system to establish its scope. When determining this scope, the organization shall consider: interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information.

Mapped SCF controls

• CLD-06.1 - Customer Responsibility Matrix (CRM)
• CPL-01.2 - Compliance Scope
• TPM-05.4 - Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix

4.4

Information security management system

The organization shall establish, implement, maintain, and continually improve an information security management system, including the processes needed and thier interactions, in accordance with the requirements of this International Standard.

Mapped SCF controls

• GOV-01 - Cybersecurity & Data Protection Governance Program
• GOV-01.1 - Steering Committee & Program Oversight

This site is open source. Improve this page.