ISO 27001 Information Security - Clause 4.2 Understanding the needs and expectations of interested parties

Understanding the needs and expectations of interested parties

This clause has just 2 apparently simple requirements. In plain English, they are: Determine who is interested in your ISMS (Information Security Management System), and determine what are their requirements.

Interested parties are those that may have an effect on, be affected by, or at least perceive themselves to be affected by your organizations' decisions or activities. You need to consider; Who are the relevant interested parties for your ISMS? What are their relevant needs and expectations? There is no need to consider interested parties where your organization has decided that they are not relevant to your ISMS. If it is decided that an interested party is relevant, you may then decide which of their requirements are also relevant to your ISMS.

Who are your interested parties?

The list would vary from one organization to another. However, the following are some of the possible examples:

• Customers or clients
• Consumers or end-users
  (this group may be as per customers but may be different in some cases e.g. where a product is ordered by a customer but is intended to be consumed by others.)
• Shareholders or owners
• Directors
• Management
• Workers
• Suppliers
• Government / regulators
• Industry association
• Business partners
• Insurers
• Investors or Funding bodies
• Media

Some of these may be sub-divided into separate groups - where they may have diverging requirements.

What are their relevant requirements?

This may include needs and expectations that they expressed during enquiries or other business contacts with a particular client or cohort of clients. Of course, it would definitely include any contractual obligations that you enter into.

It may also include legal and regulatory compliance. That applies even if the client is not aware of them and hasn't expressed the requirement for such compliance.

Ensuring and demonstrating compliance

You will need some means of ensuring and demonstrating that you have determined, monitored and reviewed the relevant interested parties, and their relevant needs and expectations. Once again, although ISO 27001 does not specify any required documents, you might consider that some type of document would be useful to capture the relevant information and enable it to be monitored, reviewed, and updated over time. One option is to maintain an Interested parties table as a standalone document or part of a documented ISMS Overview.

Our preference is for a table with a 4-column layout.

• The 1st column is to list the interested parties.
• The 2nd column is to list their relevant needs and expectations.
• The 3rd column identifies whether the item is a 'compliance obligation' e.g. a legal, contractual requirement or other requirement that you choose to comply with.
• The 4th column references what you do to meet the identified needs / expectations.

This clause is often addressed at the same time as clause 4.1 'Understanding the context of the organization'.  The information that you develop for these two clauses will play an important part in guiding your management system.

As with the previous clause, these requirements will change over time. So, it's a good idea to periodically monitor and review.

A more detailed explanation with examples and a template interested parties table can be found in ISO 27001 InfoSec Toolkit included in Qudos 3 IMS software.

The previous blog in this series is clause 4.1 Understanding the context of the organization.

The next blog in this series is clause 4.3 Scope.