ISO 27001 Information Security - Clause 4.2 Understanding the needs and expectations of interested parties

Clause 4.2 Interested parties

18 April 2022 - ISO 27001 Information Security in plain English - Blog post #2. Clause 4.2 has just 2 apparently simple requirements. In plain English, they are: Determine who is interested in your ISMS (Information Security Management System), and determine what are their requirements. This article explains the clause and how it may be addressed.


ISO 27001 Information Security in plain English

Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard.  However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.

Understanding the needs and expectations of interested parties

This clause has just 2 apparently simple requirements. In plain English, they are: Determine who is interested in your ISMS (Information Security Management System), and determine what are their requirements.

Interested parties are those that may have an effect on, be affected by, or at least perceive themselves to be affected by your organizations' decisions or activities. You need to consider; Who are the relevant interested parties for your ISMS? What are their relevant needs and expectations? There is no need to consider interested parties where your organization has decided that they are not relevant to your ISMS. If it is decided that an interested party is relevant, you may then decide which of their requirements are also relevant to your ISMS.

Who are your interested parties?

The list would vary from one organization to another. However, the following are some of the possible examples:

  • Customers or clients
  • Consumers or end-users
    (this group may be as per customers but may be different in some cases e.g. where a product is ordered by a customer but is intended to be consumed by others.)
  • Shareholders or owners
  • Directors
  • Management
  • Workers
  • Suppliers
  • Government / regulators
  • Industry association
  • Business partners
  • Insurers
  • Investors or Funding bodies
  • Media

Some of these may be sub-divided into separate groups - where they may have diverging requirements.

What are their relevant requirements?

This may include needs and expectations that they expressed during enquiries or other business contacts with a particular client or cohort of clients. Of course, it would definitely include any contractual obligations that you enter into.

It may also include legal and regulatory compliance. That applies even if the client is not aware of them and hasn't expressed the requirement for such compliance.

Ensuring and demonstrating compliance

You will need some means of ensuring and demonstrating that you have determined, monitored and reviewed the relevant interested parties, and their relevant needs and expectations. Once again, although ISO 27001 does not specify any required documents, you might consider that some type of document would be useful to capture the relevant information and enable it to be monitored, reviewed, and updated over time. One option is to maintain an Interested parties table as a standalone document or part of a documented ISMS Overview.

Our preference is for a table with a 4-column layout.

  • The 1st column is to list the interested parties.
  • The 2nd column is to list their relevant needs and expectations.
  • The 3rd column identifies whether the item is a 'compliance obligation' e.g. a legal, contractual requirement or other requirement that you choose to comply with.
  • The 4th column references what you do to meet the identified needs / expectations.

This clause is often addressed at the same time as clause 4.1 'Understanding the context of the organization'.  The information that you develop for these two clauses will play an important part in guiding your management system.

As with the previous clause, these requirements will change over time. So, it's a good idea to periodically monitor and review.

A more detailed explanation with examples and a template interested parties table can be found in ISO 27001 InfoSec Toolkit included in Qudos 3 IMS software.

The previous blog in this series is clause 4.1 Understanding the context of the organization.

The next blog in this series is clause 4.3 Scope.

ISO 27001 Information Security in plain English

This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Click the LinkedIn Follow button below to receive notifications of further articles in the series.

There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.


Ready to start your journey to ISO 27001?

Qudos 3 IMS software includes a more in-depth version of this post, templates for your interested parties' table with numerous examples, facilities to securely manage documents created, and tools to schedule and record reviews - with automated assignment and tracking of actions.

The first step to commencing a management system based on ISO 27001 is to conduct a gap analysis. We can provide a qualified, experience certification auditor to perform a Gap Analysis service for you.

Contact us today to discuss your needs!

Photo by Jacek Dylag on Unsplash