The business context for information risk and security

Although the organisational/business context is clearly relevant and important to information risk and security management, it is tricky to describe. 

In my opinion, clause 4 of ISO/IEC 27001 is so succinct that it leaves readers perplexed as to what 'context' even means.  It stops short of explaining how to determine and make use of various 'internal and external issues' in an Information Security Management System. 

So, to help clients, I wrote and released a pragmatic 5-page management guideline on this for the SecAware ISMS toolkit, expanding on this neat little summary diagram:

With about a thousand words of explanation and pragmatic advice, the guideline has roughly ten times as many words as clauses 4.1 and 4.2 ... or twenty times if you accept that the picture is worth a thousand words. It was written independently of, and complements, ISO/IEC 27003's advice in this area.

Although I am happy with the SecAware ISMS toolkit materials as they are, I'm always looking for improvement opportunities, ways to add more value for clients. I'm currently working on, or at least thinking about:

  • A set of fundamental information risk and security principles;
  • A guideline on the Risk Treatment Plan and Statement of Applicability;
  • Something on security engineering, perhaps: lots of literature to study first.