4.1 Understanding the organization and its context

ISO 28000 2022 requires the organization to determine internal and external issues that affect its security and resilience objectives, identify interested parties and their needs, and define the scope of the security management system. This understanding informs risk assessment, policy development and appropriate controls.