# Clause 4: Context of the organisation (4.1) > Clause 4 is all about thinking about the mixture of internal and external issues that can have an effect on an organisations approach to developing and achieving its objectives. ### Understanding the organisation and its context (4.1) > Understand Internal and external issues that could affect the ISMS and that are relevant to purpose. This section concerns itself with making appropriate requirements for the organisation to understand itself through the context of external and internal issues that are relevant to both its purpose, and could affect the ability to achieve the intended outcome of the ISMS (4.1) This should consider things such as: **Internal Issues Examples** - **Governance and organisational structure** - Identifying commonality and possible needs for change - **Information Systems and information flows** - Identify information flows and BAU systems, resourcing and knowledge in the organisation - **Policy, objectives and strategies (POS)** - For alignment and integration **External Issues Examples** - [[PESTLER Factors]] - Relationships with perceptions and values of stakeholders - Key drivers and trends - Relationships and perceptions of stakeholders - Standards and guidelines already in place - Contractual relationships - Organisational culture ### Understanding the needs and expectations of interested parties (4.2) > Identify internal and external parties; then identify requirements that stem from these; now identity possible treatment through ISMS. Its important to identify what parties are relevant to the ISMS, and what the requirements are that stem from those interested parties (4.2ab). It must then be asked: Which of these requirements will be addressed through the ISMS? (4.2c) >💡 **Interested parties are not just good faith actors or components of business as usual**, they can also be terrorists, criminals, the state, and activists. Any party that is relevant to the information security management system should have its requirements identified and addressed through the ISMS system. Remember that the [[PESTLER Factors]] may help brainstorm Interested Parties **Examples of interested parties** - Citizens - Customers - Distributors - Shareholders - Investors - Owners - Contractors - Competitors - Staff dependents - Insurers - Government - Regulators - Management - Those accountable for ISMS Policy/Implementation - Maintainers - Other Staff - Media - Trade Groups - Emergency Services ### Determining the scope of the information security management system (4.3) The scope can only be considered once you have a proper understanding of the context of your organisation, achieved through determining the internal and external issues of the organisation (4.1), alongside the internal and external interested parties relevant to the ISMS (4.2). Once the expectations and means of discovering these interests and parties have been fully explored - including any interactions/interfaces and dependancies in and amongst the organisation and other organisation (anything that is outsourced) you are ready to set scope (4.3abc). The scope must be documented information, and identifies what systems and processes are in place - usually to support an identified strategic objective. The scope will almost always reference a [[Statement of Applicability]] (produced in accordance with 6.1.3d), which outlines controls and their implementation. >💡 You should be able to ask an org for a scope and statement of applicability regarding their move to ‘align’ or comply with ISO 27001. ### Information Security Management System (4.4) This section is one sentence, and very clearly put. ‘The organisation shall establish, implement, maintain and continually improve an ISMS, ***including the processes needed and their interactions***, in accordance with the requirements of this document.' > 💡 **The 2022 version of this standard introduce the section that I bold and italicise above: Including the processes needed and their interactions.*** This highlights and focuses the need for organisations to demonstrate the implementation, maintenance, monitoring and assessment of processes to support compliance with 4.4.