Information Security Context, Requirements and Scope [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document sets out the organizational context of the ISMS. It describes what the organization does, how it does it, what factors influence the way it operates and the reasons for the definition of the scope of the ISMS.
Areas of the standard addressed The following areas of the ISO/IEC 27001 standard are addressed by this document: •
• •
4. Context of the Organization o 4.1 Understanding of the organization and its context o 4.2 Understanding the needs and expectations of interested parties o 4.3 Determining the scope of the ISMS o 4.4 Information security management system 5. Leadership o 5.1 Leadership and commitment A.18 Compliance o A.18.1 Compliance with legal and contractual requirements ▪ A.18.1.1 Identification of applicable legislation and contractual requirements
General guidance If your organization already has ISO9001 certification then much of the contents of this document may already be documented, in which case this information will need to be readily available at the ISO/IEC 27001 audit. This is a key document that will need involvement from senior management to put together. In overview, it describes why an effective ISMS is needed and what may happen to the organization if one is not in place. The business impact analyses, and risk assessments required by later sections of the standard will then define this in more detail.
Version 1
Page 2 of 22
[Insert date]
