4.1 Understanding the organization and its context

The 4.1 clause requires an organization to determine internal and external issues that are relevant to its purpose and that affect its information-security management system, considering factors such as legal, regulatory, contractual, market, cultural and technological conditions, and to document how these circumstances shape its security objectives and controls.