SECTARA Knowledge Base

Search Knowledge Base by Keyword

Establishing the Context

Documenting assessment context is critically important as it provides the basis for establishing and justifying assertions within asset, threat, risk control effectiveness and risk identification and assessment stages. Ideally, it also underpins the case for making treatment recommendations, which is clearly a pivotal aspect of the security risk assesment process.

AS ISO 31000:2018 Risk management – Guidelines suggest that a range of issues be considered and documented at this stage of the assessment. Should standards-based consistency be important, assessors should therefore document the following matters, along with anything that is specifically required and relevant to each assessment:

External Context

  • The social, cultural, political, legal, regulatory, financial, technological, economic, and environmental factors, whether international, national, regional or local.
  • Key drivers and trends affecting the objectives of the organisation.
  • External stakeholders’ relationships, perceptions, values, needs and expectations.
  • Contractual relationships and commitments.
  • The complexity of networks and dependencies.

Internal Context

  • Vision, mission and values.
  • Governance, organisational structure, roles and responsibilities.
  • Strategy, objectives and policies.
  • Organisational culture.
  • Standards, guidelines and models adoptedby the organisation.
  • Capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual property, processes, systems and technologies).
  • Data, information systems and information flows.
  • Relationships with internal stakeholders, taking into account their perceptions and values.
  • Contractual relationships and commitments.
  • Interdependencies and interconnections.

Related links: