Now that we have Top Management Support (Requirement 5.1) as we discussed before here, it is time to start to structuring our ISMS. Let’s go?
We shall start from Requirement 4.1 as ISO/27001:2022 standard says:
The organization shall determine relevant internal and external issues for those propose and who affects their capacity to achieve intended results fo their ISMS [...]
But what does it mean?
When we talk about internal issues the organization shall consider organizational structure, roles and responsibilities, organizational culture, compentencies, processes, strategic objetives, information systems, infrastructure and etc. In other words, how the organization is structured to deliver its product or/and service.
To the external issues, for example, political aspects, economical, legal, cultural, technological and stakeholder’s and their requirements should be considered. Here it is related to the organization interaction with the external world, let’s say it like this.
To translate this theory to practice, imagine a tourism agency called “Travel with Me” which has a future objective to be certified in ISO/IEC 27001:2022 in the endo of 20224, starting with the headquarters and to get there, it previously needs to structure the ISM and get it running.
The “Travel with Me” agency acts more than 10 years in the market, is a big reference in the brach, has the headquarters in Salvador Brazil and its affiliated societies in 80% of brazillian cities. Independently with the person wants to travel by car, ship, airplane, the organization can do all the burocratic work and you don’t have to be streessed with your trip.
Giving your efforts to the “Travel with Me” headquarters, in the interviews that we did we discover:
The company works in a hybrid mode (Physically and Remotely)
The organogram has the Top Management and other areas like Marketing, Commercial, IT, HR, Administration/Finance below it;
The area whom acts directly with the client is the commercial area and the other ones is considered Backoffice;
To attend the client they use the WhatsApp Business in online mode and the office to the personal assistance;
In the company they use the offical Microsoft Office and Defender package;
The ITSM is the Desk Manager which is used by all the company;
The Top Management is engaged and supports the ISMS;
The company receives a financial contribuiton by investors;
Each area has its processes, policies, standards and procedures documented and published in the company’s Intranet (which is a Sharepoint Site);
For “Travel with Me” to make all midfield with the hotel networks, car rental, cruise, airlines and tour operators companies uses a system called Karen from a supplier with same name whom permitts this centralization. Among partners the main area Hotel Network A, Airline Company M, Car Rental Y, Cruise Company L and Tour Operator R;
Below IT are Support, Infrastructure and Information Security areas (even not agreeing with them but this is the information they gave us haha);
They process personal data so the need to be compliant with Brazillian Data Protection Law and as they operate in tourism, laws and regulations from the sector.
Obviously in reality, we would have more information but with this example we can analyze the “Travel with Me” against requirement 4.1. Visually, what it has is the headquarter’s organizational structure is organized in the following way:
In this play, the organizational structure (Topice 2 mencioned above) together with the topics 1,2,3,4, 5, 6, 7, 9 and 11 are exactly related to the internal issues. While topics 8, 10 and 12 directly relate to the external issues. In a more complete view what we have:
Documenting the internal and external issues is not obligatory in an isolated way but is really important to formalize in the ISM scope documetation like we’re going to see in a future article. To ilustrate i used something similar to a CANVAS but obviously other techniques can be used like SWOT Analysis, PEST Analysis and 7S Framework.
To be compliant with this requirement is not the technique that matters, even because the standard is not prescriptive. In the end, the most importante thing is to have a vision how the company is structured and, its internal and external relationships and with this vision be able to identify and manage all of thede information lifecycle inside and outside of the company. In this case “Travel with Me”.
In the next article we will move on to the next requirement, 4.2.
I count on your reading.
See you soon