Template and example of how to do Interested Parties in ISO27001 (Clause 4.2)

[Updated to add the new requirement in the 2022 version of ISO27001 to identify those requirements of interested parties that will be met by the Information Security Management System]

[Edited Feb 2024 to add some text about possible climate change issues that might affect information security.

This article gives some advice and a template to help meet the interested parties (or stakeholders) requirement of clause 4.2 of ISO27001.

You create a table with 2 columns. The first column is the list of interested parties that may have some relevance to information security. The 2nd column is the requirements of those interested parties relevant to information security. Some of these interested parties may be ones where they place a requirement on you from an information security perspective and some may be interested parties where you place a requirement on them from an information security perspective.

Below is a typical example list of possible interested parties (i.e., column 1 of the table):

? Clients

? Ex-Clients

? Any specific named big important clients – e.g. “Fred Bloggs widget manufacturer”

? End customers of the Clients – e.g. the people our clients are providing a service to – e.g. “Public looking for a mortgage”.

? Prospects

? Legal, Regulatory and supervisory bodies

? Any specific named important regulators – e.g. “Information Commissioner’s Office (ICO)”

? Suppliers/ Sub contractors

? Ex-Suppliers

? Any specific named important suppliers – e.g. “AWS”.

? Group Centre/Head Office

? Board of Directors

? Shareholders & Investors

? Subsidiaries

? Employees and contractors including temporary staff

? Ex-employees

? Landlord

? Tenants

? The organisation we share an office with.

? The organisation we share a building with.

? Certification Body

? Hackers

? State Hackers

? Competitors

? Etc

You might think it is a bit silly to have Hackers in this but they are interested in you from an information security perspective.

For each of these, in the 2nd column of the table you then state briefly what this interest is. Specifically, what requirements they place on you or you place on them from an information security perspective. For many of them it might be something fairly generic like:

? ISO27001 compliance or ISO27001 certification.

? Protection of the integrity, availability and confidentially of their data.

? Assurance that all reasonable steps are being taken to manage the information security risks of managing their data.

? Do not have any information security incidents of relevance to them or their data.

? Notify them of any information security incidents of relevance to them.

Some of the interested parties may have more specific requirements – for example some clients and data protection regulators (e.g. ICO) may insist on being notified of incidents within (say) 72 hours.

If you can’t think of anything to put in this 2nd column then they are probably not interested parties from an information security perspective.

You are also required to identify which of these requirements of interested parties will be met by the Information Security Management System (ISMS). I suggest just marking them in some way - perhaps in a different colour. It is a business decision as to which of these requirements will be met by the ISMS. You are not required to meet them all if you do not wish to do so.

I usually add some additional columns although these are not required by ISO27001, for example:

? What is the relationship between us and the interested party? A one sentence/paragraph description.

? What are the key types of information of interest? A short simple list - e.g. Client personal data, health data, payroll data, performance data, financial data, pricing data, etc. (This is a sort of minimal information asset register/list.)

? Who is the named key person in our organisation who is responsible for this relationship and communicating with this interested party?

? The key principles of the communication approach with the interested party. E.g. a short list of what is communicated (e.g. ISO27001 status, breaches) and how (e.g. phone call, email). This can help meet the requirements of clause 7.3 Awareness and 7.4 Communication.

Also, you should add some text at the top of the document - something like “We have considered any information security requirements from our interested parties that relate to climate change and any that we have identified have been documented”.

Chris