ISO 27001 is a specification for an information security management system (ISMS). Unsurprisingly, therefore, it sets out requirements for a management framework. The fourth step in ISMS implementation is to create this framework.

Clause 4 of ISO 27001 says the organization must identify the needs and expectations of interested parties, as well as the internal context of the organization, and these should be taken into account in establishing the scope of the ISMS.

You started to identify these requirements when creating your project risk register, so you should revisit this information and build on it. The external context will include the business and risk environment, what is going on in your sector, and any ...

Get Nine Steps to Success: North American edition - An ISO 27001 Implementation Overview now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.