SGRII Insights · ISO 27001:2022 · 2026
Your ISMS Scope Was Set on Day One. Your Organisation Has Not Stood Still Since.
Most certified ISMS implementations treat Clause 4 as a project-launch activity. ISO 27001:2022 treats it as a permanent system obligation. That gap is where scope becomes liability — and where Stage 2 auditors find their first finding.
SGRII Performance & Digital Solutions
ISMS Practice · April 2026 · 11 min read
SGRII Pillar Lens
Systems
Systems thinking applied to Clause 4 means understanding that context is not a statement. It is a process. The information security management system inherits its scope, its risk landscape, and its control priorities from a living analysis of the organisation’s environment — internal and external. When that analysis is static, everything downstream of it is built on an assumption that the day it was written was the last day anything changed.
Pull any ISMS document pack produced between 2016 and 2022 and find Clause 4. What you will almost certainly find is a two-to-four-page document titled ‘Context of the Organisation’ or ‘Organisational Context Statement.’ It lists internal issues — usually a SWOT. It lists external issues — usually a PESTLE. It names interested parties and, in the better implementations, captures what those parties require. And then it was filed. Approved at project kickoff, referenced at Stage 1 audit, and not substantively updated since.
This is the most structurally consequential error in ISO 27001 implementation. Not because the document is wrong — it was probably accurate on the day it was written. But ISO/IEC 27001:2022 does not ask the organisation to describe its context once. It asks the organisation to determine external and internal issues relevant to its purpose that affect its ability to achieve the intended outcomes of the ISMS. The word ‘determine’ is not past tense. The clause does not expire.
What Clause 4 Actually Requires
Clause 4.1 requires the organisation to determine external and internal issues relevant to its purpose and that affect its ability to achieve the intended outcome of the ISMS. Clause 4.2 requires the identification of interested parties and the determination of their requirements relevant to information security. Clause 4.3 uses both outputs to define the ISMS scope. And Clause 6.1 requires that the risk assessment process takes the context of the organisation as its starting point.
Four clauses. One living foundation. When the foundation is static, all four are compromised. The risk register reflects threats that existed when the context analysis was completed. The scope reflects boundaries that were commercially convenient at project inception. The interested party register lists requirements that were documented without a mechanism for monitoring change. And the ISMS is — silently, without any visible finding — increasingly detached from the organisation it is meant to protect.
A scope document that has not changed in thirty months in a rapidly evolving threat and regulatory environment is not evidence of organisational stability. It is evidence that no one has reviewed the context.
The Three Traceability Failures Auditors Find Most Often
The first is the absence of a traceability link between the context analysis and the ISMS scope boundary. The scope document names what is included. It rarely explains why specific assets, sites, or processes are excluded — and whether that exclusion was a deliberate, risk-informed decision or a pragmatic choice made at kickoff to limit the certification scope. An auditor who asks ‘why is your cloud infrastructure outside scope?’ expects a context-grounded answer. ‘Because it was not in scope at certification’ is not one.
The second is the absence of a monitoring mechanism for interested party requirements. ISO 27001:2022 Clause 4.2 requires identification of the requirements of relevant interested parties and determination of which of those requirements will be addressed through the ISMS. The standard implies ongoing determination, not one-time listing. Customer contracts change. Regulatory obligations are amended. Supplier security requirements evolve. An interested party register that has not been reviewed since implementation is a Clause 4.2 finding waiting to be raised.
The third — and most consequential — is the failure to connect context changes to risk register updates. Clause 6.1 risk identification must reflect the organisation’s actual information security environment. If the context analysis identifies a new external issue — an emerging regulatory requirement, a significant change in the threat landscape, a new major customer with contractual security obligations — the risk register must respond. If it does not, the ISMS has not processed the change. The system has a gap between its stated context and its operative risk model.
What a Living Clause 4 Process Looks Like
Scheduled context review triggers: at minimum annually, and whenever a significant organisational, regulatory, or threat environment change occurs
Context review outputs are formally recorded — not as a refreshed narrative document, but as a structured assessment of what has changed and what the ISMS implications are
Interested party register is reviewed against active contracts, regulatory registers, and customer security questionnaires on a defined cycle
Scope boundary is confirmed or updated based on context review output, with documented rationale for inclusions and exclusions
Context review outputs are presented as a mandatory input to Clause 9.3 management review for leadership-level awareness and decision
Changes in context that affect the risk landscape generate a risk register review trigger, ensuring Clause 4 and Clause 6 remain connected
THE SGRII ISO 27001:2022 ISMS FRAMEWORK
The SGRII ISMS Framework treats Clause 4 as a living governance process, not a project deliverable. Every component is built with context-to-risk-register traceability by design.
Includes: Version-controlled ISMS Context & Scope Register with defined review triggers, Interested Party Requirements Matrix with specific attributable obligations, Scope Boundary Justification with risk-based exclusion rationale.
GET THE ISMS FRAMEWORK — FROM $149 ›What the Standard Specifically Requires as Evidence
ISO/IEC 27001:2022 Clause 4.1 requires documented information to the extent necessary to support confidence that the processes have been carried out as planned — which in audit practice means auditors expect to see evidence of context determination, not just a context statement. Evidence includes: meeting records, review logs, documented issue registers with dates of last review, and traceable links between context outputs and scope decisions.
Clause 4.2 evidence requirements are equally specific. The interested party register must capture not just who the parties are, but what their requirements are and how the ISMS addresses them. A register that lists ‘Customers: data protection’ without capturing specific contractual or regulatory obligations is not satisfying Clause 4.2 — it is describing it.
What Auditors Actually Evaluate — ISO 19011 Perspective
Auditors will request the last two context review records and compare them. Identical outputs across consecutive review cycles in an organisation that has undergone significant change is a Major NC indicator.
Auditors will select two to three interested parties and ask: what are their specific information security requirements, and where in the ISMS are those requirements addressed? Inability to answer with reference to documented evidence is a Clause 4.2 finding.
Auditors will trace the scope boundary and ask for the risk rationale behind any significant exclusion — cloud providers, outsourced processing, third-party data custodians. ‘Out of scope by agreement with the certification body’ is not a risk-based justification.
Auditors will ask whether any significant changes in the organisation’s external environment have been assessed for ISMS impact since the last review — and request the evidence of that assessment.
Why Most Implementations Treat Clause 4 as a Document, Not a Process
The implementation industry has a structural incentive to treat Clause 4 as a deliverable rather than an obligation. A document can be produced, reviewed, approved, and submitted. A process requires a governance mechanism, a review cycle, a trigger framework, and a traceability architecture. Documents have a completion point. Processes do not.
The result is a certification industry that has normalised static context analysis at the same time as the threat and regulatory environments that context analysis is meant to reflect have accelerated dramatically. GDPR came into force after many certifications were in maintenance. AI-driven threats were not in scope discussions five years ago. Supply chain attack vectors that the ISMS risk register should now address were not the dominant threat pattern at most organisations’ original certification. The context has changed. The Clause 4 document, in most certified systems, has not.
The SGRII Position
The SGRII view on Clause 4 is structural: context is the first pillar of the ISMS architecture. The Systems pillar requires that the information security management system is designed as a system — one in which every component is connected to a living, accurate picture of the organisational environment. A system built on a static context analysis is not a system. It is a document hierarchy that was current on the day it was approved and has been decaying since.
Every element of the SGRII ISO 27001:2022 ISMS Framework is designed with Clause 4 traceability built in. The ISMS Context & Scope Register is a structured, reviewable document with version control and review date tracking — not a narrative statement. The Interested Party Register captures specific, attributable requirements with review cycles. The ISMS Scope Boundary Definition includes risk-based exclusion justification. And the Management Review Record includes context review as a mandatory agenda item, ensuring that leadership receives and acts on changes to the organisational information security environment at every review cycle.
SGRII ISO 27001:2022 ISMS FRAMEWORK
Two tiers. One framework. Choose the depth your organisation needs.
Professional
$149
Modules 01–06 · Self-implementing SME
ISMS Context & Scope Register (version-controlled, review-triggered)
Interested Party Requirements Matrix with monitoring obligations
Scope Boundary Justification with risk-based exclusion rationale
Management Review Record with Clause 4 as mandatory agenda input
15-template pack covering Clauses 4–10 evidence requirements
Premium
$349
11 deliverables · Compliance Manager & Consultant
Everything in Professional (Modules 01–06)
E3: ISMS Compliance Checklist — Clause 4 requirements verified 100%, context-to-scope traceability confirmed
E2: Risk & Opportunity Register — pre-linked to context inputs, maintaining the Clause 4→6 evidential chain
E1: DI Register + Annex A Map — 16/16 mandatory documented information items complete
O7: Annex A Implementation Guide — context-informed control selection across all 93 controls
Both tiers include immediate download · Lifetime access · Designed for Stage 2 audit readiness
The Direct Challenge
When was your Clause 4 context last substantively reviewed? Not re-approved — reviewed. When were your interested party requirements last verified against current contracts and regulatory obligations? When was your scope boundary last examined against your actual operational footprint? If the honest answer to any of these questions is ‘at certification,’ your ISMS is built on a context that no longer exists.
Join the Conversation
Has your Stage 2 or surveillance auditor ever challenged the currency of your Clause 4 context analysis — or was the document reviewed without testing its connection to your current risk register? We want to know what the audit community is actually finding.
ISMS Managers, Lead Auditors, and consultants with direct audit experience of Clause 4 findings are particularly welcome to contribute. The SGRII team responds to every substantive comment.
Build it, don’t just read about it
SGRII ISO/IEC 27001:2022 ISMS Framework
All 93 Annex A controls, Statement of Applicability, risk register and audit pack — built for certification readiness.
View the Framework → Get the newsletterCoverage is not compliance. SGRII frameworks provide structured coverage, templates and guidance. They are designed for audit defensibility and structured for certification readiness; they do not certify you, do not guarantee a successful audit, and are not legal advice. The official ISO standard remains the only authoritative source of requirements.