It is a constantly changing sector, both technical and regulatory, and where, in most cases, protective measures are only developed after a threat has already turned into damage. Therefore, the context analysis phase plays a crucial role.

The context of an organization entails the particular combination of all internal and external factors that characterize the organization, in all its aspects, and that has an effect on the organization’s operations.

We can identify internal factors as all the elements proper to an organization that characterize it and distinguish it from others: the characteristics of the activities performed by the organization, the location and work, the information system used, and the types of information processed.

External factors, on the other hand, are those elements that define the organization’s context over which the organization does not have direct control: current or potential competitors, applicable regulations, market trends and the economic, political, and social situation, customers, and suppliers, etc.

Both internal and external factors affect, each to a certain extent, the security of the information processed by the organization. It is therefore necessary to have a clear picture of the context in which the organization operates. This is because only after analyzing the context can the risks and sources of risk to information security be identified. The correct analysis of internal factors can highlight the weaknesses, criticalities and vulnerabilities of the information system adopted. In addition, the identification of the characteristics of the location and the work performed will lead to the adoption of protection measures rather than others.