ISO/IEC 27003:2017 pdf download – Information technology — Security techniques — Information security management systems — Guidance.
External issues are those outside of the organization’s control. This is often referred to as the organization’s environment. Analysing this environment can include the following aspects: a) social and cultural; b) political, legal, normative and regulatory; c) financial and macroeconomic; d) technological; e) natural; and f) competitive. These aspects of the organization’s environment continually present issues that affect information security and how information security can be managed. The relevant external issues depend on the organization’s specific priorities and situation. For example, external issues for a specific organization can include: g) the legal implications of using an outsourced IT service (legal aspect); h) characteristics of the nature in terms of possibility of disasters such as fire, flood and earthquakes (natural aspect); i) technical advances of hacking tools and use of cryptography (technological aspect); and j) the general demand for the organization’s services (social, cultural or financial aspects). Internal issues are subject to the organization’s control. Analysing the internal issues can include the following aspects: k) the organization’s culture; l) policies, objectives, and the strategies to achieve them; m) governance, organizational structure, roles and responsibilities; n) standards, guidelines and models adopted by the organization; o) contractual relationships that can directly affect the organization’s processes included in the scope of the ISMS; p) processes and procedures; q) the capabilities, in terms of resources and knowledge (e.g. capital, time, persons, processes, systems and technologies); r) physical infrastructure and environment; s) information systems, information flows and decision making processes (both formal and informal); and t) previous audits and previous risk assessment results. The results of this activity are used in 4.3, 6.1 and 9.3.
In order to identify relevant issues, the following question can be asked: How does a certain category of issues (see a) to t) above) affect information security objectives? Three examples of internal issues serve as an illustration by: Example 1 on governance and organizational structure (see item m)): When establishing an ISMS, already existing governance and organizational structures should be taken into account. As an example, the organization can model the structure of its ISMS based on the structure of other existing management systems, and can combine common functions, such as management review and auditing. Example 2 on policy, objectives and strategies (see item l)): An analysis of existing policies, objectives and strategies, can indicate what the organization intends to achieve and how the information security objectives can be aligned with business objectives to ensure successful outcomes. Example 3 on information systems and information flows (see item s)): When determining internal issues, the organization should identify, at a sufficient level of detail, the information flows between its various information systems. As both the external and the internal issues will change over time, the issues and their influence on the scope, constraints and requirements of the ISMS should be reviewed regularly. Documented information on this activity and its outcome is mandatory only in the form and to the extent that the organization determines as necessary for the effectiveness of its management system (see ISO/IEC 27001:2013, 7.5.1 b)).