Major change : Compatibility with other

management system standards

This International Standard applies the high-level

structure, identical sub-clause titles, identical text,
common terms, and core definitions defined in Annex SL
of ISO/IEC Directives, Part 1, Consolidated ISO
Supplement, and therefore maintains compatibility with
other management system standards that have adopted
the Annex SL.
This common approach defined in the Annex SL will be
useful for those organizations that choose to operate a
single management system that meets the requirements
of two or more management system standards.
 The basic structure

1 Scope 7 Support
2 Normative references 7.1 Resources
3 Terms and definitions. 7.2 Competence
4 Context of the organization 7.3 Awareness
4.1 Understanding the organization and its context 7.4 Communication
4.2 Understanding the needs and expectations of interested 7.5 Documented information
parties 8 Operation
4.3 Determining the scope of the information security 8.1 Operational planning and control
management system 8.2 Information security risk assessment
4.4 Information security management system 8.3 Information security risk treatment
5 Leadership 9 Performance evaluation
5.1 Leadership and commitment 9.1 Monitoring, measurement, analysis and evaluation
5.2 Policy 9.2 Internal audit
5.3 Organizational roles, responsibilities and authorities 9.3 Management review
6 Planning 10 Improvement.
6.1 Actions to address risks and opportunities 10.1 Nonconformity and corrective action
6.2 Information security objectives and planning to achieve 10.2 Continual improvement.
them

Annex A
Bibliography
 4. Context of the organization

4.1 Understanding the organization and its context

The organization shall determine external and
internal issues that are relevant to its purpose and
that affect its ability to achieve the intended
outcome(s) of its information security management
system.
By establishing the context, the organization articulates its objectives, defines the external
and internal parameters to be taken into account when managing information security risk,
and sets the scope and risk criteria for the remaining process. When establishing the
context for the information security management process, they need to be considered in
great detail and particularly how they relate to the scope of the particular process.
 Establishing the external context
The external context is the external environment in which the
organization seeks to achieve its objectives. Understanding the
external context is important in order to ensure that the objectives
and concerns of external stakeholders are considered when developing
the system. It is based on the organization-wide context, but with
specific details of legal and regulatory requirements, stakeholder
perceptions and other aspects of information security specific to the
scope of the process.
The external context can include, but is not limited to:
the social and cultural, political, legal, regulatory, financial,
technological, economic, natural and competitive environment,
whether international, national, regional or local;
key drivers and trends having impact on the objectives of the
organization; and
relationships with, perceptions and values of external stakeholders.
 Establishing the internal context
The internal context is the internal environment in which the organization seeks to achieve its
objectives.
The information security management process should be aligned with the organization's culture,
processes, structure and strategy. Internal context is anything within the organization that can
influence the way in which an organization will manage information security.
It is necessary to understand the internal context. This can include, but is not limited to:
governance, organizational structure, roles and accountabilities;
policies, objectives, and the strategies that are in place to achieve them;
capabilities, understood in terms of resources and knowledge (e.g. capital, time, people,
processes, systems and technologies);
the relationships with and perceptions and values of internal stakeholders;
the organization's culture;
information systems, information flows and decision making processes (both formal and
informal);
standards, guidelines and models adopted by the organization; and
form and extent of contractual relationships.
4.2 Understanding the needs and expectations of interested parties
The organization shall determine:
a) interested parties that are relevant to the information security management
system; and
b) the requirements of these interested parties relevant to information security.

4.3 Determining the scope of the information security management system

The organization shall determine the boundaries and applicability of the
information security management system to establish its scope. When
determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2; and
c) interfaces and dependencies between activities performed by the organization,
and those that are performed by other organizations.
The scope shall be available as documented information.