Menu Close
  • Home
  • ISO 27001 Interested Parties Examples
    •

ISO 27001 Interested Parties Examples

0 Comments

In this article, we look at the requirements specified under clause 4.2 of ISO 27001:2013 – Understanding the needs

and expectations of interested parties. We look at the requirements of the clause, what you need to do to be compliant with these requirements and provide interested parties examples for your use.

What does understanding the needs and expectations of interested parties mean in ISO 27001?

When establishing the information security management system, the organisation must firstly understand its own
business (4.1 Understanding the organization and its context) before defining the needs and expectatations of interested parties. This is to ensure that the management system is designed to meet the requirements of its

stakeholders, that it is fit for purpose and achieves intended outcomes.

We will look at use cases in more detail shortly, but as a quick example imagine one of your interested parties to be your customers who entrust the security of their data to you on a daily basis. As an interested party, they would expect their data to be safe, secure and accessible to them at all times.

If the information security management system does not support these requirements, then it would not be considered fit for purpose and would almost certainly fail. It is therefore important that the needs and expectations of all interested parties are defined when establishing the system.

Who would be included as an interested party?

As mentioned above, interested parties would be any individual or group of individuals with an interest in the management system and its outcomes. This would include both internal and external parties, and can range from customers through to internal/external auditors. Each entity will have their own needs and expectations, and these

must be captured when establishing the ISMS.

ISO 27001 Interested Parties examples may include external entitites such as customers and auditors, as well as internal entities such as management and staff. If you consider these 4 as an example, the needs and expectations may

be defined in the following way:

  1. Customers expect that the confidentiality, integrity and availability of their data is secured at all times.
  2. Auditors expect that a proportionate level of security controls are in place at all times to protect assets.
  3. Management expect that industry best practice certifications are maintained to provide assurance to the board.
  4. Staff expect their data to remain secure at all times and resources to be available to support job roles.

In reality, there will be a long list of interested parties dependant on the type and size of organisation you may have. This list of interested parties should be maintained as documented information and be constantly

reviewed/updates in line with changes to the business.

Related posts:

img_6093fc5062594What does understanding the organization and its context mean in ISO27001? img_609544cc06d30ISO 27001 Management Review Agenda – What needs to be included? img_609409e72ece9ISO 27001 Internal Audit Checklist img_609540ee8e95aInformation Transfer Policies and Procedures in ISO 27001

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *