Examples of ISO 27001 interested parties and your compliance requirements

Clause 4.2 of ISO 27001 is titled “Understanding the needs and expectations of interested parties”.

But what is an ‘interested party’? The Standard isn’t as clear as it should be, so let’s rectify that here with this simple guide.

What is an interested party?

An interested party is essentially a stakeholder – an individual or a group of people affected by your organisation’s activities.

In the context of ISO 27001, their interest regards your ISMS (information security management system) and your ability to prevent data breaches.

Examples of interested parties

Interested parties can include any of the following:

  • Employees, because they are the people who comply with the practices outlined in the ISMS.
  • Shareholders, because effective information security influences the organisation’s financial success.
  • Regulators and the government, because they create information security laws and ensure they are being met.
  • Suppliers and partners, because you have contractual arrangements about the way sensitive information is protected.
  • The media, because there is far more mainstream coverage of data breaches and a wider public interest in the way organisations protect personal information.
  • Customers, because they use your services and share sensitive information with you.

How to identify interested parties

There are two ways to work out who your interested parties are.

First, you can ask department managers and other senior personnel, as they’ll have a solid understanding of who your information security practices affect.

Alternatively, you can identify interested parties by reviewing your documentation.

Clause 4.1 of ISO 27001, “Understanding the organisation and its context”, requires you to outline the internal and external issues that affect the intended outcomes of your ISMS, which in turn reveals interested parties.

This sounds like a complex piece of documentation, but the goal isn’t to create a comprehensive overview of everything happening in your organisation.

Rather, you’re simply looking to get a better understanding of the way information security decisions affect you.

For example, a common issue involves the lack of control over the way you manage employees at third parties.

You’ll eventually have to decide how to address this, which is where things do get complicated, but for now, you only need to note what the issue is and who is affected.

So, in this case, you’d note that suppliers are affected by the security risks of outsourcing.

The needs and expectations of interested parties

Once you have a list of interested parties, you need to document their needs and expectations, i.e. what they want from your organisation.

For example, employees want clear instructions on how to handle sensitive data, suppliers want achievable contractual agreements, and the media want transparency regarding security incidents.

General statements like this are a good starting point, but you must be as specific as possible in the documentation process. State what clauses are necessary in supplier contracts, how employees should protect sensitive data, and so on.

You also need to determine whether the needs and expectations of interested parties are in your best interests.

Cyber criminals are technically interested parties, as they are affected by your organisation’s security practices (the stronger your defences are, the harder their job is), but what they want is obviously the opposite of what you want.

There’s a subtler example of this dichotomy in your relationship with customers. They generally want to share as little sensitive information as possible for fear that it will be breached, whereas organisations tend to want as much data as possible.

It’s only by establishing what interested parties want from you that you can plan accordingly and make sure everyone is satisfied.

You’ll find that the steps you take to address the needs and expectations of one interested party will often benefit another.

For example, a contractual agreement with a supplier might also ensure you meet a regulatory requirement to shore up your overall security practices, satisfying clients who want to know whether they can trust your organisation to protect their personal data.

Not all interested parties are equally important

Solutions to interested parties’ needs aren’t always mutually beneficial. In those cases, you must prioritise some actions.

Working out whose needs are most important is as simple as determining what the negative consequences of ignoring an interested party’s needs are.

Say someone thinks your organisation should be more rigorous with data encryption. Who that person is will have a huge influence on whether you take their advice.

A new customer, for example, might not mean that much to you: there’s relatively little to be lost by ignoring their needs and expectations, and they may or may not do more business with you regardless of whether you follow their advice.

But it’s a different story if it’s one of your most highly valued clients. Ignore their request and you run the risk of losing their business.

Suddenly, data encryption is a top priority and should be a key consideration when looking at solutions based on your risk assessment – which is the process where your ISMS takes shape.

Creating an ISMS with this information

You can find out more about identifying and evaluating your interested parties with the help of CyberComply.

This Cloud-based collection of information security software helps you take control of your cyber risk needs in one simple package.

It includes a feature that identifies the relevant legal, contractual and regulatory obligations you need to meet to ensure compliance with the interested parties clause of ISO 27001.

Find out more about CyberComply