ISO/IEC 27003-2017 pdf free download.Information technology – Security techniques – Information security management systems – Guidance.
This document provides explanation and guidance on ISO/IEC 27001:2013.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000:2016, Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001:2013, Information technology — Security techniques — Injórmation security management systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in lSO/IEC 27000:20 16 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at
— ISO Online browsing platform: available at http://www.isoorg/obp
4 Context of the organization
4.1 Understanding the organization and its context Required activity
The organization determines external and internal issues relevant to its purpose and affecting its ability to achieve the intended outcome(s) olthe information security management system (ISMS).
As an integral function of the ISMS. the organization continually analyses itself and the world surrounding it. This analysis is concerned with external and internal issues that in some way affect information security and how information security can be managed, and that are relevant to the organization’s objectives.
Analysis of these issues has three purposes:
— understanding the context in order to decide the scope of the ISMS;
— analysing the context in order to determine risks and opportunities; and
External issues are those outside of the organization’s control. This is often referred to as the
organization’s environment. Analysing this environment can include the following aspects:
a) social and cultural;
b) political, legal, normative and regulatory;
c) financial and macroeconomic;
d) technological;
e) natural; and
f) competitive.
These aspects of the organization’s environment continually present issues that affect information security and how information security can be managed. The relevant external issues depend on the organization’s specific priorities and situation.
For example, external issues for a specific organization can include:
g) the legal implications of using an outsourced IT service (legal aspect);
h) characteristics of the nature in terms of possibility of disasters such as fire, flood and earthquakes (natural aspect);
I) technical advances of hacking tools and use of cryptography (technological aspect); and
j) the general demand for the organization’s services (social, cultural or financial aspects). Internal issues are subject to the organization’s control. Analysing the internal issues can include the following aspects:
k) the organization’s culture;
I) policies, objectives, and the strategies to achieve them;
m) governance, organizational structure, roles and responsibilities;
n) standards, guidelines and models adopted by the organization;
o) contractual relationships that can directly affect the organization’s processes included in the scope of the ISMS;
p) processes and procedures;
q) the capabilities, in terms of resources and knowledge (e.g. capital, time, persons, processes, systems and technologies);
r) physical infrastructure and environment.ISO/IEC 27003 pdf download.