ISO 27001 Interested Parties Examples

interested parties iso 27001

In this article, we look at the requirements specified under clause 4.2 of ISO 27001:2013 – Understanding the needs

and expectations of interested parties. We look at the requirements of the clause, what you need to do to be compliant with these requirements and provide interested parties examples for your use.

What does understanding the needs and expectations of interested parties mean in ISO 27001?

When establishing the information security management system, the organisation must firstly understand its own
business (4.1 Understanding the organization and its context) before defining the needs and expectatations of
interested parties. This is to ensure that the management system is designed to meet the requirements of its
stakeholders, that it is fit for purpose and achieves intended outcomes.

We will look at use cases in more detail shortly, but as a quick example imagine one of your interested parties to be your customers who entrust the security of their data to you on a daily basis. As an interested party, they would expect their data to be safe, secure and accessible to them at all times. If the information security management system does not support these requirements, then it would not be considered fit for purpose and would almost certainly fail. It is therefore important that the needs and expectations of all interested parties are defined when establishing the system.

Who would be included as an interested party?

interested parties in iso 27001:2013

As mentioned above, interested parties would be any individual or group of individuals with an interest in the
management system and its outcomes. This would include both internal and external parties, and can range from
customers through to internal/external auditors. Each entity will have their own needs and expectations, and these
must be captured when establishing the ISMS.

ISO 27001 Interested Parties Examples

ISO 27001 Interested Parties examples may include external entitites such as customers and auditors, as well as
internal entities such as management and staff. If you consider these 4 as an example, the needs and expectations may
be defined in the following way:

1. Customers expect that the confidentiality, integrity and availability of their data is secured at all times.
2. Auditors expect that a proportionate level of security controls are in place at all times to protect assets.
3. Management expect that industry best practice certifications are maintained to provide assurance to the board.
4. Staff expect their data to remain secure at all times and resources to be available to support job roles.

In reality, there will be a long list of interested parties dependant on the type and size of organisation you may
have. This list of interested parties should be maintained as documented information and be constantly
reviewed/updates in line with changes to the business.

Filed in: 4.2 Understanding the needs and expectations of interested parties Tags: , , ,

Get Updates

Related Posts

Leave a Reply

Submit Comment

© 4961 ISO27001 Guide. All rights reserved.