“Context of the organization” is essentially a new requirement in managements system standards introduced based on the guidance given to standards writers in Annex SL. However, it is not really a new idea in the grand scheme of things when it comes to all things ISO MSS – management system standards, that is.
To get straight to the point then. Through the process of establishing and implementing any management system, an organization will have instinctively addressed many, if not all, of these requirements already, and probably without having realized it. Regardless if you approached this in a formal or an informal way, having a good understanding of the organization’s business context is critical if your time and efforts are to bear fruit.
For those who are transitioning from an older version of a standard to a newer one (ISO 9001:2015 and ISO 14001:2015, for example), you might be wondering what all the fuss is about and be a little fuzzy on exactly what it is that you’ll have to do to meet the new requirements. For the experienced business continuity and information security fellows, this is nothing particularly new as it has been a requirement of ISO 22301 since its first release in 2012, and ISO/IEC 27001 since its 2013 update.
To aid and abet in doing good for your company, over the coming weeks, I’m going to be publishing a series of short articles covering my thoughts on what this subject is all about, why it’s so important, how you might go about implementing and meeting these requirements, and making some suggestions and observations on techniques and approaches that might be useful to implementers.
Before we move on, I’ll just say now that this is not an article for the “I just want the ISO certification” type companies – as “context” is often ignored in those cases. But that’s another subject and we can discuss that at a later time. With that cleared up, let’s get started.
So What Is, Context of the Organization?
Consider an information security management programme. When we assess security threats and implement controls, we need to approach the task with some contextual understanding.
It would likely be a waste of time, effort, and money to consider in detail the risks of state-sponsored hacking if your business was a small coffee shop called “Nan’s Coffee” located in Halesworth town center, Suffolk, England. Ever heard of that place? Didn’t think so. Is it likely to be a target of foreign governments? I shouldn’t think so, no. So we probably couldn’t justify a need to hire a full-time team of cyber security professionals to monitor and protect our coffee shop’s IT systems 24/7.
What if we are a public utility company providing the nation’s water and power needs? Firstly, that is very different from being a coffee shop! Secondly, we probably would have a cyber team, as well as a whole floor of specialists concerned with legal and regulatory compliance. The context is very different. So we implement something very different.
As a consultant and trainer, my business involves a lot of moving around. I travel, I meet people, I go places. I spend a lot of time in the Middle East. Do I need to wear body armor when I travel between cities and towns for work? No, I do not! If I did work in Iraq or Afghanistan, you would have a difference answer – but I don’t.
Without context, we may be unknowingly making wrong, bad, or uninformed decisions. Or just missing out on opportunities altogether.
Having context gives us boundaries and insight. Companies that do not link policies, objectives, actions, and results to their business context are more likely to be the companies who are hiring unnecessary staff to perform unnecessary tasks. Purchasing unnecessary equipment, software, or hardware. Sending staff on unnecessary training. Implementing unnecessary controls and unenforceable or pointless policies and procedures.
Or maybe it’s the other way around, where they’re not hiring the necessary staff, with the necessary competencies, to perform the necessary tasks. You get the picture.
An understanding of context frames our entire journey. It’s a map of our galaxy, so to speak. If the accountable people in our business need to get us to a particular star at a particular time to achieve a particular objective, they’re gonna need a map of the galaxy.
Why is Context Important?
Point is, every company is different. To add value, a management system must be in-tune with an organization’s strategic direction and objectives. Management system processes don’t live outside of normal business activities, they ‘are’ the normal business activities.
If we don’t really understand our own business, then what will we implement? How would we implement? How do we integrate? How would we measure outcomes? How could you determine the best route to Proxima Centauri b if you weren’t familiar with the galaxy?
Without context, a management system amounts to practically nothing but paperwork and a burden (financial and otherwise). When people aren’t motivated and can’t understand why they have to “keep a record” or “follow a procedure” or “deliver on time” or “hit alt-cntr-del”; or when management “say” they must do it be don’t follow up with the necessary support, then chances are, when nobody is looking, those things aren’t going to be done.
Where context has been ignored, and policies, objectives, and procedures are implemented without the proper consideration, you’ll have one of those management systems which is full of holes. Constant and repeated nonconformities are a signature of such a management system.
You’ll probably get certified, initially, but maintaining such a system in the long term will cost you dearly and adds little or no strategic value. You’ll be another box-ticking company looking at minimum compliance at the cost of performance and ongoing improvement.
Clause 4 Context of the Organization – What Does it Cover?
In general, this clause covers the need for an organization to identify its internal and external issues, legal, regulatory, and contractual requirements, as well as to determine the requirements, needs, and expectations of any interested parties.
The organization must also determine the purpose of the management system and be able to answer the question: What is the intended outcome?
And last, but certainly not least, given this understanding, what will be the scope of the management system? The scope defines the boundaries and interfaces, both internal and external, where our processes and activities play a role in achieving the intended outcomes.
“Context of the Organization” is simply the idea that we need to have an understanding of how our business works, what’s involved, its motivations and drivers, the factors that can positively and negatively impact our ability to achieve strategic objectives or other commitments in order to be able to establish, implement, operate, monitor, maintain, and continually improve an organization’s management system.
Take a personal example. Ask yourself – “why did I chose, pay for, study, and pass that last training course I attended?” Or, “Why do I want to invest my time and effort to attain that particular certification”? The answer may be from a personal context – self-improvement or personal interest on a subject. Or maybe a business context – promotion, salary increase, peer respect, and job opportunities.
Now consider if you would have invested that same time, money, or effort in the course if you weren’t going to get anything out of it. Sounds like a waste of time, money, and effort to me. You planned and took action given a specific context – it wasn’t random or adhoc.
That’s it for now. See you in part two where we’ll dig more into the subject of “internal issues”.
If you have any particular questions on this subject then be sure to jump in and comment or ask, and I’ll do my best to address it as I hit the relevant parts in other articles.