GB/T 29246-2023 Information technology - Security techniques - Information security management systems - Guidance
1 Scope
This document provides explanation and guidance on GB/T 22080-2016.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 22080-2016 Information technology - Security techniques - Information security management systems - Requirements
GB/T 29246-2017 Information technology - Security techniques - Information security management systems - Overview and vocabulary
3 Terms and definitions
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
For the purposes of this document, the terms and definitions given in GB/T 29246-2017 apply.
4 Context of the organization
4.1 Understanding the organization and its context
Required activity
The organization determines external and internal issues relevant to its purpose and affecting its ability to achieve the intended outcome(s) of the information security management system (ISMS).
Explanation
As an integral function of the ISMS, the organization continually analyses itself and the world surrounding it. This analysis is concerned with external and internal issues that in some way affect information security and how information security can be managed, and that are relevant to the organization’s objectives.
Analysis of these issues has three purposes:
——understanding the context in order to decide the scope of the ISMS;
——analysing the context in order to determine risks and opportunities; and
——ensuring that the ISMS is adapted to changing external and internal issues.
External issues are those outside of the organization’s control. This is often referred to as the organization’s environment. Analysing this environment can include the following aspects:
a) social and cultural;
b) political, legal, normative and regulatory;
c) financial and macroeconomic;
d) technological;
e) natural; and
f) competitive.
These aspects of the organization’s environment continually present issues that affect information security and how information security can be managed. The relevant external issues depend on the organization’s specific priorities and situation.
For example, external issues for a specific organization can include:
g) the legal implications of using an outsourced IT service (legal aspect);
h) characteristics of the nature in terms of possibility of disasters such as fire, flood and earthquakes (natural aspect);
i) technical advances of hacking tools and use of cryptography (technological aspect); and
j) the general demand for the organization’s services (social, cultural or financial aspects).
Internal issues are subject to the organization’s control. Analysing the internal issues can include the following aspects:
k) the organization’s culture;
l) policies, objectives, and the strategies to achieve them;
m) governance, organizational structure, roles and responsibilities;
n) standards, guidelines and models adopted by the organization;
o) contractual relationships that can directly affect the organization’s processes included in the scope of the ISMS;
p) processes and procedures;
q) the capabilities, in terms of resources and knowledge (e.g. capital, time, persons, processes, systems and technologies);
r) physical infrastructure and environment;
s) information systems, information flows and decision making processes (both formal and informal); and
t) previous audits and previous risk assessment results.
The results of this activity are used in 4.3, 6.1 and 9.3.
Guidance
Based on an understanding of the organization’s purpose (e.g. referring to its mission statement or business plan) as well as the intended outcome(s) of the organization’s ISMS, the organization should:
—— review the external environment to identify relevant external issues; and
——review the internal aspects to identify relevant internal issues.
In order to identify relevant issues, the following question can be asked: How does a certain category of issues (see a) to t) above) affect information security objectives? Three examples of internal issues serve as an illustration by:
Example 1 on governance and organizational structure (see item m)): When establishing an ISMS, already existing governance and organizational structures should be taken into account. As an example, the organization can model the structure of its ISMS based on the structure of other existing management systems, and can combine common functions, such as management review and auditing.
Example 2 on policy, objectives and strategies (see item l)): An analysis of existing policies, objectives and strategies, can indicate what the organization intends to achieve and how the information security objectives can be aligned with business objectives to ensure successful outcomes.
Example 3 on information systems and information flows (see item s)): When determining internal issues, the organization should identify, at a sufficient level of detail, the information flows between its various information systems.
As both the external and the internal issues will change over time, the issues and their influence on the scope, constraints and requirements of the ISMS should be reviewed regularly.
Documented information on this activity and its outcome is mandatory only in the form and to the extent that the organization determines as necessary for the effectiveness of its management system (see GB/T 22080, 7.5.1 b)).