management system-infosavvy

ISO 27001 Clause 4.2 & 4.4 Implementation Guideline

ISO 27001 Clause 4.2 & 4.4 Implementation Guideline this concept would be clear over here through this article etc.

Clause 4.2 Understanding the needs and expectations of interested parties

Required activity
The organization determines interested parties relevant to the ISMS and their requirements relevant to information security.

Interested party may be a defined term that refers to persons or organizations which will affect, be suffering from , or perceive themselves to be suffering from a choice or activity of the organization. Interested parties are often found both outside and inside the organization and may have specific needs, expectations and requirements for the organization’s information security.

External interested parties can include:
a) Regulators and legislators;
b) Shareholders including owners and investors;
c) Suppliers including subcontractors, consultants, and outsourcing partners;
d) Industry associations;
e) Competitors;
f) Customers and consumers;
g) Activist groups.

Internal interested parties can include:
a) Decision makers including top management;
b) Process owners, system owners, and knowledge owners;
c) Support functions like IT or Human Resources;
d) Employees and users;
e) Information security professionals.

Implementation Guidance

The following steps should be taken:
— identify external interested parties;
— identify internal interested parties;
— identify requirements of interested parties.
As the needs, expectations and requirement of interested parties change over time, these changes and their influence on the scope, constraints and requirements of the ISMS should be reviewed regularly.
Documented information on this activity and its outcome is mandatory only within the form and to the extent the organization determines as necessary for the effectiveness of its management system .

Clause 4.4 Information security management system

Required activity
The organization establishes implements, maintains and continually improves the ISMS.

ISO/IEC 27001:2013, 4.4 states the central requirement for establishing, implementing, maintaining and continually improving an ISMS. While the opposite parts of ISO/IEC 27001 describe the specified elements of an ISMS, 4.4 mandates the organization to make sure that each one required elements are met so as to determine , implement, maintain and continually improve the ISMS.

Questions related to this topic

  1. Explain ISO 27001 Clause 4.2 & 4.4 Implementation Guideline?

ISO 27001 Requirements

Clause 4.1 Understanding the organization and its context
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities & Clause 7.1 Resources
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.2 Competence , Clause 7.3 Awareness & Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control, Clause 8.2 Information security risk assessment & Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us –

Leave a Comment

Your email address will not be published. Required fields are marked *