Understanding the needs and expectations of interested parties for ISO 27001 Requirement 4.2
What is covered under ISO 27001 Sect 4.2?
Sect 4.2. covers ‘Understanding the needs and requirements of your organisation’s interested parties’ and is a really important part of ISO 27001.
Much like the ISO section (4.1) on internal and external issues, you are not given a great deal of guidance with those interested parties.
What is an interested party?
At its simplest, an interested party is a stakeholder. Stakeholders can have different interest, power, support levels. So rather than going ahead and creating a range of policies and controls for your interested parties, that may or may not be useful, let’s first think about how we might identify our own interested parties. And then, more importantly, begin to segment the interested parties into categories.
How to identify and categorise your interested parties
Using a four-box model, we are going to look at low and high interest and low and high power. This is because not all stakeholders and their interests are created equal.
What should be included in the ‘Keep satisfied’ category?
If a stakeholder is high power and low interest, you should be thinking of that individual or group as a ‘keep satisfied’ stakeholder. Ask yourself, what will you do in your policies and controls to keep them satisfied? In this high power and low interest area, you might see organisations like legislators and regulators.
There may also be malicious parties that you need to keep at bay, as well as customers, auditors and other bodies. Their interest is quite low on a day to day basis, but their power is high.
What should be included in the ‘Key player’ category?
If an interested party has both a high interest and high power, we would call them a key player. These groups are most happy when they are actively involved, for example, you could ask them to help you to develop and deliver better systems.
You might actually have some of your customers in this category. They may be very interested in how you are working day today. Your senior management team, infrastructure critical suppliers etc. will likely fall into this category.
Who are the other interested parties and what are your next steps?
Entities that have a lot of interest in what you are doing, but don’t have a huge amount of power or influence over you, may include suppliers looking to sell to you, or perhaps media and commentators. Those that are low interest and low power are often competitors.
Combining this interested parties work with the internal and external issues you will have identified in 4.1, you should now have a better idea of who the parties are that are going to have both positive and malicious intent. You should now have a better understanding of the risks for your organisation, and how you will build the policies and controls for those parties.
In our ISMS.online software we have built an environment to help you to digitise the work you have done here.
The easy to use tool gives you a visual indicator of your interested parties that are being kept satisfied, as well as those you have identified as unsatisfied, and are therefore a potential risk to your organisation.
In ISMS.online we provide a template policy & the tool to meet the requirements of ISO 27001 Sect 4.2.
Subscribe to our ISO 27001 Virtual Coach and you will also have expert guidance on this and all the other
ISO 27001 core requirements and Annex A controls.
Discover how ISMS.online will accelerate your ISO 27001 certification.
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication (read 7.1 – 7.4 here)
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- (read 9.1 – 9.3 here)
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement (read 10.1 – 10.2 here)
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001