scope
This International Standard specifies the requirements for the establishment, implementation, maintenance and continuous improvement of an information security management system within an organization
. This standard also includes information security risk assessment and treatment requirements tailored to the needs of the organization.
The requirements set out in this standard are generic and are intended to apply to all organizations, regardless of type, size or
nature.
When an organization claims conformity to this International Standard, it cannot exclude any of the requirements specified in Clauses 4 to 10
.
Normative references
The following documents are cited in the text, some or all of which constitute the requirements of this standard. For
dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
Terms and Definitions
6
For the purpose of this standard, the following terms and definitions apply.
ISO and IEC maintain terminology databases for standardization at the following addresses:
—ISO Online Browsing Platform: https://www.iso.org/obp
—IEC Electronic Dictionary: https://www.electropedia.org/
7
organizational environment
understand the organization and its environment
The organization should identify external and internal issues that are relevant to its intentions and affect its ability to achieve the intended outcomes of its information security management system .
Note: For the determination of these matters, refer to the content of 5.4.1 establishing the external and internal environment in ISO 31000:2018.
Understand the needs and expectations of interested parties
The organization shall determine:
a) the interested parties of the information security management system;
b) the information security-related requirements of these interested parties.
c) which of these requirements will be achieved through the information security management system.
NOTE Requirements of interested parties may include legal, regulatory requirements and contractual obligations.
Determining the scope of the information security management system
The organization shall determine the boundaries of the information security management system and its applicability to establish its scope.
In determining the scope, the organization shall consider:
a) the external and internal matters referred to in 4.1;
b) the requirements referred to in 4.2;
c) the interactions between the activities performed by the organization and with those performed by other organizations Interfaces and
dependencies
.
The scope shall be documented and available.
4.4 Information security management system
The organization shall establish, implement, maintain and continuously improve an information security management system
, including the required processes and their interactions, in accordance with the requirements of this International Standard
References
Information security, network security and privacy protectionAdd link description