Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.
Understanding the needs and expectations of interested parties, part a)
The organization shall determine: a) interested parties that are relevant to the information security management system.
Understanding the needs and expectations of interested parties, part b)
The organization shall determine: b) the relevant requirements of these interested parties. Note: the requirements of interested parties include legal and regulatory requirements and contractual obligations.
Understanding the needs and expectations of interested parties, part c)
The organization shall determine: c) which of these requirements will be addressed through the information security managment system
Determining the scope of the information security management system, part a)
The organization shall determine the boundaries and applicability of the information system management system to establish its scope. When determining this scope, the organization shall consider: the external and internal issues referred to in 4.1 The scope shall be available as documented information.
Determining the scope of the information security management system, part b)
The organization shall determine the boundaries and applicability of the information system management system to establish its scope. When determining this scope, the organization shall consider: the requirements referred to in 4.2. The scope shall be available as documented information.
Determining the scope of the information security management system, part c)
The organization shall determine the boundaries and applicability of the information system management system to establish its scope. When determining this scope, the organization shall consider: interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information.
Information security management system
The organization shall establish, implement, maintain, and continually improve an information security management system, including the processes needed and thier interactions, in accordance with the requirements of this International Standard.