What is it?
Understanding The Needs And Expectations of Interested Parties requires you to figure out who your key stakeholders are. An interested party is anyone who can affect, be affected by, or feels they can be affected by your information security. This includes people inside your company and outside of it. You need to identify these groups and understand what their needs and expectations are regarding information security. This is a very important part of your overall security plan.
Table of contents
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Interested Parties Template
- Why do you need it?
- When do you need it?
- Who needs it?
- Where do you need it?
- How do you write it?
- How do you implement it?
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How can the ISO 27001 toolkit help?
- Which other information security standards need it?
- What are the relevant ISO 27001:2022 controls?
- ISO 27001 Interested Parties FAQ
Applicability to Small Businesses, Tech Startups, and AI Companies
This process applies to all businesses, no matter the size, but the interested parties and their expectations will change.
- Small Businesses: Your interested parties might be your customers, a bank that gave you a loan, or a specific regulatory body if your business is in a regulated industry. Their expectations are likely straightforward, like keeping their data safe.
- Tech Startups: For you, interested parties include your investors, users, and business partners. Their expectations are often high. Users expect their data to be private, and investors want to make sure their investment is secure from cyber threats.
- AI Companies: Your stakeholders are unique. They include the public, who might be concerned about the ethical use of your AI, and data providers, who expect their data to be handled with extreme care. Your expectations also include protecting your intellectual property, like your AI models.
ISO 27001 Interested Parties Template
The ISO 27001:2022 Context Of Organisation template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
Why do you need it?
You can’t have an effective information security management system (ISMS) in a bubble. This step makes sure you consider everyone who has a stake in your security. If you don’t meet these expectations, you could lose customers, face legal issues, or damage your reputation. It also helps you prioritise your security efforts on what really matters to these key groups.
When do you need it?
You should do this right after you understand your own organisational context. It’s the second step in your ISO 27001 journey. You need to do it at the beginning of your project and then review and update it regularly. Whenever a new stakeholder appears, or an existing one changes their needs, you’ll need to update your document.
Who needs it?
You, as the person leading the ISO 27001 project, will need to put this together. You should also involve your management team and key people from different departments, like sales, HR, and legal. Their input is key to making sure you capture everyone’s expectations accurately.
Where do you need it?
This isn’t a physical place. It’s a key piece of your ISO 27001 documentation. You’ll likely store this document in a central, secure place with all your other ISO 27001 files, so it’s easy to access and review.
How do you write it?
Start by making a list of everyone who could be considered an interested party. Think about your employees, customers, suppliers, and even the government. Then, for each group, write down their specific needs and expectations. For example, your customers need their data to be kept private, and your employees need clear security policies to follow. You can use a table format to keep it neat and easy to read.
How do you implement it?
Once you have your list, you need to use this information. It should directly influence your security policies and controls. For instance, if your customers expect their data to be encrypted, you will need to implement an encryption control. The needs and expectations of your interested parties will inform your entire risk assessment process.
Examples of using it for small businesses
For a Small Business (e.g., a local accounting firm): Your interested parties are your clients and the tax authorities. Your clients expect their financial data to be confidential and protected from cyberattacks. The tax authorities expect you to comply with all relevant financial regulations. Your plan would include strong access controls and data backup.
Examples of using it for tech startups
For a Tech Startup (e.g., a new fitness app): Your main interested parties are your users, who expect their health data to be private, and your app store, which has rules about data privacy. You’d need to have strong data privacy policies and a clear privacy notice.
Examples of using it for AI companies
For an AI Company (e.g., a self-driving car company): Your stakeholders include your customers, the public, and government regulators. Your customers expect the car to be safe and their driving data to be secure. The public expects your AI to make safe, ethical decisions. Regulators expect you to comply with safety and privacy laws. Your plan would need to include rigorous security testing and robust data protection measures.
How can the ISO 27001 toolkit help?
The toolkit for ISO 27001 includes a template specifically for interested parties. It will guide you through the process, providing examples of different interested parties and their potential needs and expectations. This makes it a lot easier to start and ensure you don’t miss anyone.
Which other information security standards need it?
This concept of identifying interested parties is a core part of the Annex SL framework. This means that any management system standard built on this framework, like ISO 9001 (Quality Management) and ISO 14001 (Environmental Management), will also require you to do this. It is also applicable to:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
What are the relevant ISO 27001:2022 controls?
This step, like the context of the organization, is about setting the foundation for your ISMS. While it doesn’t have a direct control number, the information you gather here will help you select and justify the controls you implement. It is actually an ISO 2701 clause – ISO 27001:2022 Clause 4.2: Understanding The Needs And Expectations of Interested Parties.
For Small Businesses
You’ll likely choose controls that directly relate to your customers and basic security. This includes:
- ISO 27001:2022 Annex A 5.34 Privacy And Protection Of PII
- ISO 27001:2022 Annex A 5.19 Information Security In Supplier Relationships
- ISO 27001:2022 Annex A 5.23 Information Security For Use Of Cloud Services
For Tech Startups
Your focus will be on user data and your tech partners. This means controls like:
- ISO 27001:2022 Annex A 5.23 Information Security For Use Of Cloud Services
- ISO 27001:2022 Annex A 8.3: Information Access Restriction
- ISO 27001:2022 Annex A 5.18 Access Rights
- ISO 27001:2022 Annex A 5.15 Access Control
- ISO 27001:2022 Annex A 8.25: Secure Development Life Cycle
For AI Companies
You’ll need controls that address ethics, data integrity, and compliance. This includes:
- ISO 27001:2022 Annex A 5.31 Legal, statutory, regulatory and contractual requirements
- ISO 27001:2022 Annex A 5.23 Information Security For Use Of Cloud Services
- ISO 27001:2022 Annex A 8.12: Data Leakage Prevention
- ISO 27001:2022 Annex A 5.35 Independent Review Of Information Security
ISO 27001 Interested Parties FAQ
No, an interested party can be anyone from an employee to a government agency.
You can ask them directly, look at their contracts, or review industry regulations.
No, you should list groups of people, like “customers” or “suppliers.”
Yes, sometimes they do. For example, a customer wants easy access, but a regulator wants very strict controls. You have to find a balance.
You can always add them later. The document is meant to be updated as your business grows and changes.
Yes, it needs to be documented so an auditor can review it.
No. This step helps you figure out what to include in your risk assessment.
Your list of interested parties will be smaller, which is fine!
It’s a good idea to have your management team review and approve it.
At least once a year, or whenever there’s a big change in your business.
Be detailed enough to clearly understand what is expected, but not so much that it’s overwhelming.
A need is something they must have (like compliance), while an expectation is something they want (like quick response times).
Yes, your employees and management are important interested parties.
By identifying relevant regulations, you ensure your security plan meets legal requirements.
You must update your document and, if needed, your security controls.
