What Are Internal and External Issues in ISO 27001

If your company is ISO 27001 certified, you should be able to determine the internal and external issues relevant to your ISMS context, which affects its ability to attain the desired outcome. Being able to identify your organisational context helps provide a clearer view of both positive and negative issues for information security and allocate resources where they’ll achieve better results.

Understanding the organisation’s context is also a requirement under clause 4.1 of the ISO 27001 standard. Below, we discuss the internal and external contexts that may hinder an organisation from achieving its intended outcome.

Internal Issues Affecting ISMS Outcomes

Internal issues involve inner factors under the direct control of a company. They include:

  • Organisational structure: This is a system that defines how certain activities are directed and aligned in order to achieve the long-term goals of the organisation. This involves knowing the roles and responsibilities of your team members in ISO 27001. That will help you know where to position the ISMS.
  • Available resources: These are your organisational infrastructure, including systems and processes, personnel, technologies, equipment, knowledge, and time that can guide you in the development of solutions and competencies as well as acquisitions.
  • Organisational drivers: These are factors used to develop relevant supports and infrastructures that help define an organisation’s information security strategies, objectives, and policies. These drivers often include the organisation’s mission, vision, and values.
  • Organisational operations: It is vital to know how the organisation executes operations. You may need to understand how processes work, the decision-making process, and how information flows within the organisation. This will make it easier for you to integrate information security processes and determine the scope of the ISMS.


External issues are things outside an organisation that will impact its progress or success. An organisation cannot control external factors, but it can adapt to them. They include:

  • Applicable legal and regulatory policies: These are laws and regulations an organisation must comply with while in operation.
  • Market and customer trends: These trends are constantly changing, and organisations must always be on the lookout. An example of a trend that companies should consider for their ISMS is the adoption of cloud services.
  • External relationships: The external interested parties have their own values, beliefs, and perceptions that must be considered.
  • Technological trends: New technological trends and innovations can provide new ways to safeguard information or render the available security controls useless.
  • Political and economic factors: The economic and political conditions must also be observed because they can potentially impact business operations.

How to Document Internal and External Issues

Under ISO IEC 27001, you are not required to document the context of the organisation in a separate document. You only need to document information on specific issues. For external issues, you should document your information security goals and outcomes of the risk assessment, information assets, and the competence of your staff. You must also document the relevant regulatory, contractual, legislative, and statutory requirements in an external context.

Get in Touch With Best Practice Biz

If you are struggling to determine the external and internal issues of ISO 27001, Best Practice Biz can help. As a JAS-ANZ accredited body, we can help your organisation prepare and implement ISO 27001 standard. We offer a vast range of in-house including support and training. Contact us today for all your ISO certification needs.

Subscribe to our Newsletter


This field is for validation purposes and should be left unchanged.

Share This Post With Your Network

More To Discover