What are the internal and external issues in ISO 27001?

If your company is ISO 27001 certified, understanding the internal and external issues relevant to your ISMS (Information Security Management System) is crucial. Identifying these issues affects the system’s ability to achieve its intended outcomes. Recognising your organisational context helps provide a clearer view of both positive and negative influences on information security, allowing you to allocate resources more effectively. 

Understanding the organisation’s context is also a requirement under clause 4.1 of the ISO 27001 standard. Below, we explore the internal and external contexts that may influence an organisation’s ability to achieve its intended outcomes. 

Internal issues affecting ISMS outcomes 

Internal issues involve factors within the direct control of a company. These include:

• Organisational structure: This defines how activities are directed and aligned to achieve the organisation’s long-term goals. Understanding the roles and responsibilities related to ISO 27001 helps position the ISMS effectively. 
• Available resources: These are the organisational infrastructure, systems, processes, personnel, technology, equipment, knowledge, and time that guide the development of solutions, competencies, and acquisitions. 
• Organisational drivers: Factors that help develop support and infrastructures critical for defining an organisation’s information security strategies, objectives, and policies. These often include the organisation’s mission, vision, and values. 
• Organisational operations: Knowing how the organisation executes operations is vital. Understanding processes, decision-making, and information flow within the organisation helps integrate information security processes and determine the ISMS scope. 

External issues affecting ISMS outcomes 

External issues are factors outside an organisation that impact its progress or success. While an organisation cannot control these factors, it can adapt to them. They include:

• Applicable legal and regulatory policies: Laws and regulations the organisation must comply with. 
• Market and customer trends: Constantly changing trends require vigilance. For example, the adoption of cloud services is a trend that should be considered in the ISMS. 
• External relationships: The values, beliefs, and perceptions of external interested parties must be considered. 
• Technological trends: New technologies can provide new ways to safeguard information or make existing security controls obsolete. 
• Political and economic factors: Economic and political conditions can significantly impact business operations. 

How to document internal and external issues 

Under ISO/IEC 27001, you are not required to document the context of the organisation in a separate document. However, you must document information on specific issues. For external issues, you should document your information security goals, outcomes of risk assessments, information assets, and the competence of your staff. You must also document the relevant regulatory, contractual, legislative, and statutory requirements.