Information Security Management

ISO 27001 Clause 4: Context of the Organisation

ISO 27001 Clause 4: Context of the Organisation is the starting point of your ISMS journey. It asks you to understand your organisation and its context before diving into security planning.

Read on below to learn what it means and how to implement it.

Tools & Services ← Back to clauses

Explore Each ISO 27001 Clause in More Detail by Selecting One to View

Clause 4
Context of the
Organisation

Clause 9
Performance
Evaluation

Clause 10
Improvement

ISO 27001 Clause 4 Context of the Organisation Explained In 3 Minutes

Written by Alan Parker – ISO 27001 Consultant

> Back to the ISO 27001 Clauses Overview (Intro)

Overview of Clause 4: Context of the Organisation

ISO 27001 Clause 4 “Context of the Organisation” is asking you to consider the influences and factors that shape your Information Security Management System (ISMS). Questions like;

What data are you protecting?
Who are you protecting it for?
What systems / business functions process the data?

When we can answer questions like these, we can define the ‘context’ of our organisation’s ISMS.

TLDR: It’s where we define the scope of our security.

There are four main subclasses within clause 4, each relating to defining the scope and shape of your ISMS.

They are;

4.1 Understanding the organisation and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management system
4.4 Information security management system. This subclause requires organisations to establish and maintain effective information security management systems.

a diagram showing the structure and subclauses of iso 27001 clause 4 context of the organisation — The subclauses of clause 4

Clause 4.1 – Understanding the Organisation and its Context

In Clause 4.1, the standard asks you to identify the internal and external issues (sometimes referred to as internal or external issues and internal and external factors) relevant to your organisation’s purpose and affecting your ability to achieve the ISMS’s intended outcomes.

In simpler terms, what is the context in which your business operates?

“Context” is a strange word to use, but it refers to the internal factors (e.g., your organisational structure, culture, staff size, IT infrastructure, etc.) and external factors (e.g., market conditions, regulatory environment, threat landscape, economic conditions, competitors, technologies, external environment, economic environment, regulatory changes, etc.) that might impact information security.

As part of this process, it is important to identify internal and external factors and issues that could affect your ISMS.

For a small company, an internal issue might be something like “limited IT staff wearing multiple hats,” and an external issue might be “strict data privacy laws in our industry” or “increasing cybersecurity threats targeting our sector.”

There’s no prescribed method for gathering this information (I use a workbook, which you can access below). Some companies do a SWOT or PESTLE analysis, and others brainstorm in a management meeting. Indeed, I’ve been asked a lot over the years in audits to show my SWOT and PESTLE analysis, but I rarely actually do them, preferring my own approach.

Whichever method you use, consider going a bit deeper and seeking more detail in your analysis to ensure all relevant issues are captured.

The key is to consider what factors influence your organisation’s information security.

Importantly, ISO 27001 does not require a formal documented report for context, but it’s often helpful to write down a summary of these issues (some auditors may interview you to ensure you did consider them if nothing is documented). This process helps to mitigate risks and supports overall risk management.

Technological advancements, such as artificial intelligence, can significantly impact the external environment and information security, so it’s important to keep these developments in mind.

External and Internal Issues

Clause 4.1 requires organisations to assess and understand the external and internal issues relevant to their purpose and that affect their ability to achieve the intended outcome of the ISMS.

Internal Issues are factors within the organisation that affect its ISMS.

Some examples might include:

Organisational (Recent changes, new acquisitions, new offices, etc)
Policies and Procedures (Perhaps you are aware of outdated documentation or gaps)
Resource Availability (Financial, technological, and human resources might have changed or be in short supply)
Corporate Culture (Attitudes towards security, employee engagement, and awareness might need focus)
Contractual Relationships (Agreements and obligations with internal stakeholders that can impact governance and stakeholder engagement)
Information Assets (Legacy systems going end of life, new products, etc)

External Issues are factors outside the organisation that influence its information security. These are the things you need to consider, because they will shape your ISMS.

These can include:

Regulatory Requirements (Laws and regulations like GDPR or HIPAA)
Market Conditions (Economic trends, competition, and technological advancements, like advances in AI)
Social and Cultural Factors: (Public perception, cultural norms, and societal expectations)
Environmental Conditions: (Natural disasters, climate change impacts – in face you MUST now consider environmental conditions on your ISMS)

Both internal and external issues directly influence the organisation’s information security by shaping the context in which the ISMS operates and determining the risks and opportunities that must be managed.

Amendment 1 2024

In February 2024, ISO published an amendment to Clauses 4.1 & 4.2, requiring organisations to consider the impact of climate change on their risks and scope.

For more information, please review my summary of ISO 27001 Amendment 1.

My ISO 27001 Document Toolkit below contains every document you might need, and tools like my SCOPE WORKBOOK. Grab it below.

ISO 27001 Full Document Toolkit

Every document your auditor
expects to see.

130 Word & Excel templates, ready to edit. Policies, risk register, Statement of Applicability, audit pack, staff communications — all updated for ISO 27001:2022.

130 templates

Instant download

Written by practising consultant

ISO 27001:2022

Clause 4.2 – Understanding the Needs and Expectations of Interested Parties

Clause 4.2 complements the context by focusing on “interested parties”—stakeholders with an interest in your information security. Conducting an interested parties analysis helps ensure all relevant internal and external parties are identified and considered.

Common interested parties include customers, business partners, regulators, shareholders, employees, and other stakeholders. All of these groups of people have an interest in how you handle data, either because it’s theirs or because they need to safeguard it.

Here, you identify who your stakeholders are in relation to the ISMS and what requirements or expectations they have.

Examples: Customers might expect you to protect their data and perhaps have ISO 27001 certification as proof; regulators might require you to comply with specific laws (like GDPR); your executive team might expect the ISMS to reduce security incidents; employees might expect that their data is protected and that security policies are clear.

List the relevant interested parties and their needs or requirements (again, this is not necessarily a required document, but typically, you’d maintain a simple list or table for clarity).

This step ensures your ISMS will align with and support those requirements.

For example, if you overlook a regulatory requirement at this stage, you might miss building a control for it later. You can adjust your scope later if needed (but this must be before certification against that scope).

Senior management is responsible for overseeing and approving the identification of interested parties to ensure all relevant perspectives are addressed.

Clause 4.2 introduces the stakeholder perspective because your ISMS doesn’t exist in a vacuum; it also gives assurance to these parties.

Examples of Interested Parties

Interested Party	Category (Internal/External)	Interest / Requirements of the ISMS
Board of Directors	Internal	Organisational resilience, risk management, regulatory compliance, and maintaining an exceptional reputation.
Leadership Team	Internal	Integrating security into business functions and ensuring adequate resource allocation
Engineering Team	Internal	Secure development practices, intellectual property (IP) protection, and data security
Human Resources	Internal	Secure handling of employee data and staff security training
Finance and Admin	Internal	Protection of financial records and risk management in financial operations
Employees	Internal	Assurance of data protection and clear expectations for data handling
Supervisory Authorities (e.g. ICO, DPC)	External	Compliance with the General Data Protection Regulation (GDPR) and protection of personal data of EU/UK residents
Customers/Clients	External	Data protection assurance, transparency in handling processes, and contract alignment
Suppliers and Vendors	External	Compliance with security policies and secure data sharing
Partners and Investors	External	Confidence in risk management and IP protection
Certification Bodies	External	Evidence of ISO 27001 compliance and continuous security improvement

Clause 4.3 – Determining the Scope of the ISMS

ISO 27001 Clause 4.3 is critical: You must define the scope of your ISMS. The scope sets the boundaries of what your ISMS covers (and, by exclusion, what it doesn’t cover).

Setting a realistic scope is vital for any ISO 27001 implementation, especially in SMEs. Every time I work with a client, I suggest they minimise their scope, at least for the first year, and every time they ignore my advice.

You can always change it later during a recertification.

Key questions include;

Will your ISMS cover the entire organisation or just one business unit?
Does it include all locations or maybe just the head office?
What about certain IT systems – in scope or out of scope?
Is it customer product- or service-focused, or does it include back-office services?

Clause 4.3 requires you to consider the earlier context (4.1 issues and 4.2 stakeholder requirements) when defining scope. This will help inform you decisions.

You should document the scope statement, typically describing the business areas, locations, assets, and processes included in the ISMS. The scope statement should also clearly reflect the organisation’s activities to ensure all relevant operations and processes are considered.

Example Statement:

A scope statement might be: “The ISMS covers the information systems, processes, and personnel of the UK Office’s IT Department supporting the [name] product, including customer data handling and supporting infrastructure.”

This would implicitly exclude other offices or products (although, in honesty, I always like to include an ‘exclusions’ section in my scope, which is a hangover from my project management days).

A clear scope ensures that you focus your efforts where they matter and helps you avoid biting off more than you can chew.

Documenting the scope is mandatory.

ISO 27001 essentially says that if the scope is not written down, it doesn’t exist.

Also, the scope needs to be approved by top management (auditors will check that the defined scope was authorised by leadership, not just decided in isolation by the ISMS implementer.

When defining scope, consider interfaces and dependencies—if you exclude certain parts, are there interactions with in-scope parts that need to be managed?

For instance, if your HR department is out of scope but provides user onboarding info to IT (in scope), you need to manage that interface to ensure you don’t open a vulnerability in your processes.

A common mistake is making the scope too narrow (missing critical assets or processes, thus not addressing key risks) or too broad (overly complex for a first-time implementation). As I mentioned, it’s a point that needs underlining in my opinion;

To begin with, keep the scope as minimal as possible.

Align scope with your business needs and stakeholder expectations (e.g., if a client is pushing for ISO 27001, they likely care about a specific service or data – ensure that’s in scope). The ISMS scope should also support your organisation’s business goals and strategic objectives, ensuring that information security management is aligned with your overall direction and priorities.

Tip: It’s often wise for SMEs to start with a focused scope (e.g., one product line or location) to get quick wins, then expand later. Just ensure the scope isn’t so narrow that the certification becomes irrelevant for stakeholders. ISO 27001 isn’t about revolution; it’s about evolution.

Scope Elements	Questions to help you evaluate scope
Information Assets	What physical locations process that data?
Physical Locations	What physical locations do the assets sit in and process that data? What offices do staff who process the data work in?
Business Functions	What teams process the data? HR / Finance / IT?
Outsourced Services	What services are outsourced, either in terms of sub-processing, or in terms of managing your assets (like external IT Support)

Clause 4.4 – Information Security Management System

Clause 4.4 is a short clause that basically says, “establish, implement, maintain and continually improve an ISMS in accordance with the standard.”

Well, that’s helpful…

Essentially, it tells you to set up the ISMS (i.e., all of clauses 4-10 and applicable controls) and keep it running and improving over time.

There isn’t a specific output from 4.4 like a document; it’s a statement that you need to build the management system.

When you comply with all the other clauses and run the ISMS, you are fulfilling 4.4.

However, auditors might still check that you have an overall ISMS framework in place. For example, they may verify that all required processes exist and that management is committed to maintaining the improvement cycle. Regular management reviews and internal audits are essential to ensure the ongoing effectiveness of the ISMS, as they help evaluate the system’s performance and identify areas for continual improvement.

Clause 4.4 is essentially the bridge from planning into doing: “Go ahead and implement an ISMS that meets all these requirements.”

I might document something that summarises the flow of the ISMS, as illustrated by the following diagram;

a diagram illusrating the scope of the ISMS and dependancies between the elements.

What are the Documentation and Outputs for Clause 4?

The key outputs of Clause 4 are typically;

Records of approval for the context, interested parties, and scope. These records demonstrate that top management has reviewed and agreed on the organisation’s context and boundaries. Internal audits can provide evidence of compliance by assessing whether these records are accurate and up to date.
Documentation linking to risk assessments and the Statement of Applicability. It’s important to regularly review and update this documentation as part of effective risk management, ensuring that all identified risks and controls remain relevant and up to date.

Documented ISMS Scope

Clause 4.3 explicitly requires a documented scope statement for your ISMS.

This is usually a short document or section in your ISMS manual that describes what’s in scope and any exclusions. It should be approved by management.

Auditors will definitely ask for this.

Context and Stakeholders Analysis

While not strictly mandatory, it’s very helpful (and common) to document the outputs of 4.1 and 4.2 – e.g., a list of internal/external issues and interested parties with their requirements.

This could be a section in an ISMS manual, a standalone document, or even part of your scope.

If you don’t document it, auditors may assess your understanding of the context through interviews, which can be hit-or-miss. So, most organisations keep at least a brief record.

Records of Approval

Since leadership should agree on the scope (and therefore the context), meeting minutes or the CEO/MD’s sign-off on the scope document is good evidence.

Link to Risk Assessments

Some companies integrate the context and stakeholder requirements into their risk assessment process. For example, they might include “loss of customer data (customer requirement for confidentiality)” as a risk scenario or note legal requirements from stakeholders that feed into controls.

While not an “output” per se, it’s good to see Clause 4’s findings carried forward into your risk register and treatment (Clause 6).

What Do Auditors Look For in Clause 4 of ISO 27001?

When auditing Clause 4, the auditor will typically check the following:

Understanding of Context

They will evaluate whether you’ve identified relevant internal and external issues.

This might be done by reading your context document or asking questions like, “What factors in your business or environment influence your information security?” Expect to discuss topics such as company size, regulatory pressures, market threats, etc.

Identification of Interested Parties

The auditor may ask who your interested parties are and what your identified requirements are. They want to see that you didn’t overlook a major regulatory requirement or a key security clause in a customer contract.

Scope Document

This is usually a primary focus. The auditor will review your ISMS scope and ensure it’s clearly defined (with no ambiguous wording) and makes sense in the context and with the stakeholders. They’ll verify that it covers the essential parts and aligns with your organisation’s activities.

If your scope is “the IT department”, but your company heavily processes personal data in other departments, expect questions.

The auditor will also seek evidence that the scope was approved by top management (e.g., a signature or meeting record).

Scope Implementation

Auditors often “test” the scope by sampling something outside the scope to see that you are truly excluding it.

For example, if your scope excludes the Finance department, an auditor might speak with someone in Finance to confirm they are not part of the ISMS processes. This ensures you’re not managing something out of scope or, conversely, ignoring something in scope.

Overall ISMS Understanding

Clause 4.4 being general, the auditor might not address it separately; however, by reviewing your whole ISMS, they can confirm that you have established and are maintaining an ISMS.

There’s no specific item for 4.4 except “here’s our ISMS documentation set and how we keep improving it,” as evidenced by the implementation of the other clauses.

Case Study

I worked with an SME that defined its ISMS scope as “All IT Systems and Services“. On the surface, that seems simple enough, but in reality, it meant that all services, data, personnel, etc., within the entire company became part of the scope.

I tried to argue against this approach, but they felt that they didn’t want to come back to it later, and that was the expectation of their customers (it wasn’t – customers care about how their data is handled).

Fast forward a few months, and the project turned into a farce because IT (who initiated the project) was trying to implement processes and policies across multiple business areas, treating IT as the master, not the servant.

The pushback was immense.

Eventually, the project lost the good faith we had at the start and ultimately fizzled out. It was all just so avoidable.

What should have happened in these circumstances was that IT should have applied the scope only to the customer’s products and services. This would have left much of the back-office function unchanged. Then, as they proved the value and worked out the kinks in their processes, they could have expanded the scope.

FAQs

Why is Clause 4 such a critical starting point in ISO 27001?

Clause 4 lays the groundwork for your entire ISMS. It ensures you’re not implementing controls in a vacuum by first asking you to understand your organisation’s context, identify key stakeholders and their expectations, and clearly define the scope of your ISMS. Without a solid foundation here, your ISMS might lack focus or fail to meet the business’s and its stakeholders’ needs. It’s about aligning security with your reality—before diving into solutions.

Do I have to create formal documents for Clause 4?

Not necessarily, but it’s highly recommended. While ISO 27001 only mandates documenting your ISMS scope (Clause 4.3), it’s good practice to record your organisation’s context and interested parties (Clauses 4.1 and 4.2). This helps with clarity and buy-in and makes life easier during an audit. Auditors may ask probing questions if no records exist, so even a brief write-up or table can go a long way.

How do I choose a sensible scope for our ISMS?

Start small and strategic. A common pitfall is trying to boil the ocean—defining a scope so broad it includes every system, person, and process from day one. This often leads to frustration, delays, and resistance. Instead, focus on the most critical products, services, or departments (especially those under pressure from clients or regulators), and expand your scope over time.

Be clear about what’s in and out, and manage the interfaces between them to avoid gaps.

What do auditors look for when reviewing Clause 4?

Auditors typically check:
– That you’ve identified internal and external security issues (Clause 4.1).
– That you’ve listed relevant interested parties and their requirements (Clause 4.2).
– That your scope is clearly defined, documented, and approved by leadership (Clause 4.3).
– The ISMS exists in practice, not just on paper (Clause 4.4).
– They may test your scope boundaries too—so if you’ve excluded something, make sure it’s genuinely outside your ISMS activities.

For more details, see the section in the main article above.

Read About ISO 27001 Clause 5 – Leadership