Technical context of an information system
Find the technical context of an information system to get a basic understanding of its current security position — this way, you can know whether a change makes that position better or worse.
Stakeholders for the technical context
For the information system that you’re assessing for risk, you’ll need to meet with its technical stakeholders. Depending on the roles in your organisation, these could be:
- the service or technical owner — or their nominated delegate
- enterprise or solution architects
- subject matter experts
- development and operations (DevOps) teams.
Make sure all the relevant stakeholders are involved and that everyone is on board with setting up a successful risk assessment.
Technical context for public cloud services
Risk assessments for public cloud services focus on internal and external risks — as defined by the International Organization for Standardization (ISO). Technical stakeholders can help you to identify, quantify and treat these risks.
Aspects of legacy-system technical contexts
When meeting with technical stakeholders about a self-hosted, legacy information system, focus on identifying its:
- logical architecture
- system components.
Views of the system and component levels for an information system. These should include the:
- security domains where system components are located
- system interfaces and information flows — where and how data is stored, transmitted and processed.
Stakeholders responsible for the logical architecture
Responsible for identifying the information system’s components and defining its boundaries are the:
- service owner — or their nominated delegate
- enterprise or solution architect.
The hardware and software components that make up the information system. List all direct and indirect components, such as:
- operating systems
Stakeholders responsible for the system components
Subject matter experts in the organisation’s information and communications technology (ICT) are responsible for the ongoing support and maintenance of the information system.