In my previous two articles in this series focused on developing an Information Security Management System (ISMS) based on ISO 27001:2013, I presented the common myths associated with the standard. In this article, I am going to provide an overview of the standard and section 4 Context of the organisation.
Okay, I know I promised to delve into and discuss the requirements defined in 4 Context of the organisation. However, I realised that they are other common myths that I should dispel for those of you that are interested in implementing an Information Security Management System (ISMS) that conforms with ISO/IEC 27001:2013 (ISO 27001).
A typical Project Management methodology doesn’t include details about ensuring confidentiality, integrity and availability of information or the privacy of personal information. Experience has shown that too often the information security or privacy subject matter experts are not consulted about the project until the test phase, or even worse when the project needs to be signed off or is about to go live.