ISO 27001:2013Sect. 4.2 – Understanding the requirements of interested parties
Achieving and Continuously Improving ISO 27001: 2013
Understanding the needs and requirements of your organisation’s interested parties is a really important part of ISO 27001.
Much like the ISO section on internal and external issues, you are not given a great deal of guidance with those interested parties.
What is an interested party?
At its simplest, an interested party is a stakeholder. Stakeholders can have different interest, power, support levels. So rather than going ahead and creating a range of policies and controls for your interested parties, that may or may not be useful, let’s first think about how we might identify our own interested parties. And then, more importantly, begin to segment the interested parties into categories.
Identifying and categorising your interested parties
Using a four-box model, we are going to look at low and high interest and low and high power. This is because not all stakeholders and their interests are created equal.
‘Keep satisfied’ category
If a stakeholder is high power and low interest, you should be thinking of that individual or group as a ‘keep satisfied’ stakeholder. Ask yourself, what will you do in your policies and controls to keep them satisfied? In this high power and low interest area, you might see organisations like legislators and regulators.
There may also be malicious parties that you need to keep at bay, as well as customers, auditors and other bodies. Their interest is quite low on a day to day basis, but their power is high.
‘Key player’ category
If an interested party has both a high interest and high power, we would call them a key player. These groups are most happy when they are actively involved. Ask them to help you to develop and deliver a much better system.You might actually have some of your customers
You might actually have some of your customers in this category. They might be very interested in how you are working day to day. Your senior management team, infrastructure critical supplier.
The other interested parties and your next steps
Entities that have a lot of interest in what you are doing, but don’t have a huge amount of power or influence over you, may include suppliers looking to sell to you, or perhaps media and commentators. Those that are low interest and low power are often competitors. internal and external issues, who are the parties that are going to have both positive and
Combining this interested parties work with the internal and external issues you will have identified in 4.1, you should now have a better idea of who the parties are that are going to have both positive and malicious intent. You should now have a better understanding of the risks for your organisation, and how you will build the policies and controls for those parties.
We have built an environment in the ISMS.online software to help you to digitise the work you have done here.
The easy to use tool gives you a visual indicator of your interested parties that are being kept satisfied, as well as those you have identified as unsatisfied, and are therefore a potential risk to your organisation.