Understanding the needs and expectations of interested parties for ISO 27001 Requirement 4.2

What is covered under ISO 27001 Clause 4.2?

Sect 4.2. covers ‘Understanding the needs and requirements of your organisation’s interested parties’ and is a really important part of ISO 27001.

Much like the ISO section (4.1) on internal and external issues, you are not given a great deal of guidance with those interested parties.

What is an interested party?

At its simplest, an interested party is a stakeholder. Stakeholders can have different interest, power, support levels. So rather than going ahead and creating a range of policies and controls for your interested parties, that may or may not be useful, let’s first think about how we might identify our own interested parties. And then, more importantly, begin to segment the interested parties into categories.

How to identify and categorise your interested parties

Using a four-box model, we are going to look at low and high interest and low and high power. This is because not all stakeholders and their interests are created equal.

What should be included in the ‘Keep satisfied’ category?

If a stakeholder is high power and low interest, you should be thinking of that individual or group as a ‘keep satisfied’ stakeholder. Ask yourself, what will you do in your ISMS with policies and controls to keep them satisfied? In this high power and low interest area, you might see organisations like legislators and regulators, very powerful customer groups etc.

There may also be auditors and other industry bodies. Their interest is quite low on a day to day basis, but their power to affect your business goals is high.  

What type of party should be included in the ‘Key player’ category?

If an interested party has both a high interest and high power, we would call them a key player. These stakeholders are most happy when they are actively involved. You might actually have some of your customers in this category. They may be very interested in how you are working day today as it also impact them too. Your senior management team, boutique critical suppliers etc. will likely fall into this category.

Who are the other interested parties and what are your next steps?

Entities that have a lot of interest in what you are doing, but don’t have a huge amount of power or influence over you, may include suppliers looking to sell to you, or perhaps media and commentators. Those that are low interest and low power are often competitors.

Combining this interested parties work with the internal and external issues you will have identified in 4.1 helps lead towards a better understanding of where threats and vulnerabilities might stem from. That coupled with the scope of your ISMS (4.3) leads towards a much more logical and business led approach to the risk assessment in 6.1 that follows.

In our ISMS.online software we have built an interested party environment to help you to easily capture, prioritise approaches around the stakeholders and easily keep the work up to date thereafter.  The tool also comes with a ‘bank’ of interested parties that can quickly be added to the map.  They will also trigger ideas for other stakeholders and help identify where the risks might evolve from too.

In ISMS.online we provide a template policy and the tool to meet the requirements of ISO 27001 Clause 4.2.

Subscribe to our ISO 27001 Virtual Coach and you will also have expert guidance on this and all the other
ISO 27001 core requirements and Annex A controls.

Ready to take action?

Discover how ISMS.online can help you achieve or improve on your ISMS objectives


Need ISO 27001 policies and controls for your ISMS?

ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you up to 77% head start with ISO 27001 documentation. 



Ready to take action?

Discover how ISMS.online can help you achieve or improve on your ISMS objectives

ISMS Online Rating: 5 out of 5
Share This