ISO/IEC 27003-2017 pdf free.Information technology – Security techniques – Information security management systems – Guidance.
In order to identify relevant issues, the following question can be asked: How does a certain category of issues (see a) to t) above) affect information security objectives? Three examples of internal issues serve as an illustration by:
Example 1 on governance and organizational structure (see item m)): When establishing an ISMS, already existing governance and organizational structures should be taken into account. As an example, the organization can model the structure of its ISMS based on the structure of other existing management systems, and can combine common functions, such as management review and auditing.
Example 2 on policy, objectives and strategies (see item I)): An analysis of existing policies, objectives and strategies, can indicate what the organization intends to achieve and how the information security objectives can be aligned with business objectives to ensure successful outcomes.
Example 3 on information systems and information flows (see item s)): When determining internal issues, the organization should identify, at a sufficient level of detail, the information flows between its various information systems.
As both the external and the internal issues will change over time, the issues and their influence on the scope, constraints and requirements of the ISMS should be reviewed regularly.
Documented information on this activity and its outcome is mandatory only in the form and to the extent that the organization determines as necessary for the effectiveness of its management system (see ISO/IEC 27001:2013, 7.5.1 b)).
Other information
In lSO/IEC 27000, the definition of “organization has a note which states that: “The concept of organization includes but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private. Some of these examples are whole legal entities, whilst others are not.
There are four cases:
1) the organization is a legal or administrative entity (e.g. sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution whether incorporated or not, public or private);
2) the organization is a subset of a legal or administrative entity (e.g. part of a company, corporation, enterprise);
3) the organization is a set of a legal or administrative entities (e.g. a consortium of sole-traders, larger companies, corporations, firms); and
4) the organization is a set of subsets of legal or administrative entities (e.g. clubs, trade associations).
Understanding the needs and expectations of interested parties
Required activity
The organization determines interested parties relevant to the ISMS and their requirements relevant to information security.
Explanation Interested party is a defined term (see ISO/IEC 27000:2016, 2.41) that refers to persons or organizations that can affect, be affected by, or perceive themselves to be affected by a decision or activity of the organization. Interested parties can be found both outside and inside the organization and can have specific needs, expectations and requirements for the organization’s information security.ISO/IEC 27003 pdf download.