新版ISO 27001開題的重點 [4.1 Understanding the organization and its context 瞭解組織之全景], 相關要求為
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.
其中本章節的備註(NOTE)提及 Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.3 of ISO 31000:2009.
**ISO 31000:2009為風險管理-原則與指引(Risk management — Principles and guidelines)**國際標準, 其中 Clause 5.3的主要內容如后:
5.3 Establishing the context 5.3.1 General
5.3.2 Establishing the external context The external context can include, but is not limited to:
⎯ the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;
⎯ key drivers and trends having impact on the objectives of the organization; and
⎯ relationships with, perceptions and values of external stakeholders.
5.3.3 Establishing the internal context It is necessary to understand the internal context. This can include, but is not limited to:
⎯ governance, organizational structure, roles and accountabilities;
⎯ policies, objectives, and the strategies that are in place to achieve them;
⎯ capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);
⎯ the relationships with and perceptions and values of internal stakeholders and the organization's culture;
⎯ information systems, information flows and decision making processes (both formal and informal);
⎯ standards, guidelines and models adopted by the organization; and
⎯ form and extent of contractual relationships.
5.3.4 Establishing the context of the risk management process The context of the risk management process will vary according to the needs of an organization. It can involve, but is not limited to:
⎯ defining the goals and objectives of the risk management activities;
⎯ defining responsibilities for and within the risk management process;
⎯ defining the scope, as well as the depth and breadth of the risk management activities to be carried out, including specific inclusions and exclusions;
⎯ defining the activity, process, function, project, product, service or asset in terms of time and location;
⎯ defining the relationships between a particular project, process or activity and other projects, processes or activities of the organization;
⎯ defining the risk assessment methodologies;
⎯ defining the way performance and effectiveness is evaluated in the management of risk;
⎯ identifying and specifying the decisions that have to be made; and
⎯ identifying, scoping or framing studies needed, their extent and objectives, and the resources required for such studies.
5.3.5 Defining risk criteria When defining risk criteria, factors to be considered should include the following:
⎯ the nature and types of causes and consequences that can occur and how they will be measured;
⎯ how likelihood will be defined;
⎯ the timeframe(s) of the likelihood and/or consequence(s);
⎯ how the level of risk is to be determined;
⎯ the views of stakeholders;
⎯ the level at which risk becomes acceptable or tolerable; and
⎯ whether combinations of multiple risks should be taken into account and, if so, how and which combinations should be considered.