When looking to meet clauses 4.1 through to 4.4 you really should start at clause 4.2. Then move onto clause 4.1. Then work on 4.4 and then finally tackle clause 4.3. These clause work as a group with each clause linked to the others.
However, just don’t jump in boots and all. Meeting these clauses requires really great planning with your Top Management’s involvement. You must determine who will participate in this process, where the process will take place, and what data is necessary.
Here at Mango, we devoted a whole day discussing and understanding clauses 4.2 and 4.1. So that there were few distractions, we worked off site and banned the use of cell phones.
Firstly, we brainstormed and listed who were our interested parties.
At Mango we defined interested parties as those organisations or people who influence our operation and those that are affected by our operation. For sure this can be quite a list but it is a really good exercise.
For Mango these included customers, employees, partners, suppliers, contractors, government, local councils, registrars and the general public.
Next we debated how each party has an impact or could have an impact on our information security management system (ISMS) on us and our product.
Finally we documented each of their needs and expectations on a simple spreadsheet.
Now that we have our interested parties as a starting point we then debated the context of the organisation (clause 4.1).
We have used a Brand Compass for years that describes our vision, our mission and our values. The compasses cover:
We then fleshed this out some more with a SWOT analysis. This analysis is a review of our strengths and our weaknesses, as well as the opportunities and threats to the business.
This analysis helps us understand the business environment we operate in. Included in this we identified internal and external issues, both positive and negative, that could have an impact on us in terms of information security.
Now we had a clear understanding of the context in how we operate and how that informs our information security management system.
Now that you have clauses 4.1 and 4.2 completed, you then should determine what the ISMS should look like and how it should be managed.
As we already had a quality management system in place that meets ISO 9001:2015, we decided that the ISMS would easily fit side-by-side with the QMS. Therefore the ISMS will integrate with the QMS to become our integrated management system (IMS).
We would rewrite many of our procedures to include information security but the overall structure will be unchanged from how it looked as a QMS.
Now that we have documented 4.1, 4.2 and 4.4, we are now in a place to determine the scope of our QMS.
You need to take into account your whole organisation. The statement of applicability was a great help here. This determined what was in or out of the ISMS.
Takeaway
The steps to meeting clauses 4.1 to 4.4 of ISO 9001:2015 are:
View previous blogs in this series "ISO 27001 Information Security Management Standard":
ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values