ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties

Home / ISO 27001 Clauses / ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties

The information security management system needs to meet the needs and expectations of interested parties. We are going to look at how to identify them and what their requirements are.

In this ultimate guide to ISO 27001:2022 Clause 4.2 Understanding The Needs And Expectations of Interested Parties you will learn

  • What ISO 27001 Clause 4.2 is
  • How to implement it
  • Examples of interested parties and their needs

What is it?

ISO 27001 Clause 4.2 is Understanding The Needs And Expectations of Interested Parties and it requires an organisation to understand who has an interest in the information security management system, what their requirements are and how those requirements are being met.

The focus for this ISO 27001 Clause is basically a good old fashioned stakeholder analysis.

As one of the ISO 27001 controls this is about working out who really cares or is relevant to the information security management system.

These are people that might have a requirement for it to do something, to achieve something or to be something.

Specifically we are looking at people that might have an interest in the effectiveness of the information security management and what their actual requirements are.

Once you know what their requirements are it is then just a case of making a link to show how the information security management systems will meet these needs.

ISO 27001 Clause 4.2 forms part of ISO 27001 Clause 4 Context of Organisation.

In ISO 27001 clause 4.1 we looked at understanding the organisation and its context which broke down into identifying internal and external issues.

Here we are going to look at the needs and the expectations of interested parties.

This is another quick win as the same interested parties come up time and time again and their requirements rarely change, irrespective of the business you are in. That is why we were able to pre populate our Context of Organisation Template leaving little if any work to do other than review it.

ISO 27001 Interested Parties Example

Purpose

The purpose of ISO 27001 clause 4.2 is to ensure you have considered people, their requirements and how you will address those requirements when implementing and operating your information security management system (ISMS).

Definition

The ISO 27001 standard defines ISO 27001:2022 Clause 4.2 as:

The organisation shall determine:
a) interested parties that are relevant to the information security management system
b) the requirements of these interested parties
c) which of these requirements will be addressed through the information security management system.

ISO 27001:2022 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties

Requirement

This is an ISO 27001 control that requires you to identify and document:

  • who is relevant to you information security management system (ISMS)
  • what their requirements are
  • how the information security management system (ISMS) will meet those requirements.

Implementation Guide

The following is a step by step implementation guide to comply with ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties:

  • identify the interested parties
  • identify the requirements of those interested parties
  • demonstrate how your information security management system (ISMS) meets those requirements
  • document it
  • approve and sign it off

Lets explore each of these steps in more detail.

Identify ISO 27001 Interested Parties

Identify and record those people and entities that have an interest in the information security management.

Consider using a traditional stakeholder analysis.

You can brainstorm amongst company peers, including senior management and business owners the list of interested parties.

Examples and a standard list are provided pre written and pre populated in the Context of Organisation template.

Identify the ISO 27001 interested parties requirements

The requirements of the ISO 27001 interested can be found in legal contracts, the law of the land, by asking peers in the organisation including senior management and business owners.

Examples and a standard list are provided pre written and pre populated in the Context of Organisation template.

Document the ISO 27001 interested parties and their requirements

Formally document the list of ISO 27001 interested parties and their requirements.

Approve and sign off the list of ISO 27001 interested parties and their requirements

Share the documented list of interested parties and their requirements formally at the management review team meeting.

Get acceptance from the group and record in the minutes of the meeting that this was reviewed and accepted.

ISO 27001 Templates

The ISO 27001 Context Of Organisation template fully satisfies the requirements of ISO 27001 Clause 4.2 and is pre written with common examples.

Available as individual download it is also part of the internationally best selling and award winning ISO 27001 Toolkit.

ISO 27001 Context of Organisation Template
ISO 27001 Toolkit

ISO 27001 Clause 4.2 Training Video

Watch the ISO 27001 Clause 4.2 YouTube tutorial How to implement ISO 27001 Clause 4.2 Needs and Expectations of Interested Parties

ISO 27001 Interested Parties

What are ISO 27001 Interested Parties?

Interested parties in the context of ISO 27001 are people that could have a requirement of the information security management system (ISMS).

Think of them as stakeholders that want something specific from the information security management system (ISMS) and it’s intended outcomes.

How to Identify Interested Parties

Interested parties is just another way of saying stakeholders.

You could do a traditional stakeholder analysis.

This depends really on if you are wanting to do it right or just pass the ISO 27001 certification.

You really don’t have to over think it.

Just think about who might have an interest in your information security management system actually working and doing its intended job.

Ask around, ask colleagues, ask management.

You can download our Context of Organisation Template or you can copy our list below.

How to Identify Interested Parties Requirements

Once you have identified them, you can try asking them.

As noted these come up time and time again though and are pretty standard.

If you don’t want to go to the effort of asking you can download our Context of Organisation Template or copy our list below and just verify it.

Example ISO 27001 Interested Parties

ISO 27001 Clause 4.2 Interested Parties Example

Interested PartyRequirements Relevant to ISMS
Executive Board• Legal and Regulatory Compliance
• Avoidance of data breach
• Avoidance of fines
• Commercial advantage for tender and sales
• To protect the company reputation
Shareholders• Legal and Regulatory Compliance
• Avoidance of data breach
• Avoidance of fines
• Commercial advantage for tender and sales
• To protect the company reputation
Employees• Legal and Regulatory Compliance
• To understand, implement and follow the governance framework.
• To be trained in the information security management system
• To have appropriate and adequate protection of employee and customer data
• To be able to conduct their role without undue bureaucracy.
• To work in a safe environment
Information Commissioner’s Office and Regulators• Legal and Regulatory Compliance
Law Enforcement Agencies• Legal and Regulatory Compliance
• Timely co-operation on investigations
Customers• Legal and Regulatory Compliance
• Products and services fit for purpose.
• Avoidance of data breach
Insurers• Legal and Regulatory Compliance
• Current applicable contracts for products and services.
• Current applicable contracts covering an understanding of any information security requirements.
Local Residents• No negative or adverse impact from physical and environmental security

How to pass the audit

To pass an audit of ISO 27001 Clause 4.2 you are going to

  • Understand the requirements of ISO 27001 Clause 4.2
  • Identify your interested parties
  • Assess the needs and expectations of those interested parties
  • Document it in a Context of Organisation Document

What the auditor will check

The audit is going to check a number of areas for compliance with Clause 4.2. Lets go through them

1. That you have documented interested parties

The simplest way to do this is with the fully populated ISO 27001 Context of Organisation Template.

2. That you have addressed their requirements

Be sure to record what requirements interested have on the information security management system (ISMS).

Auditors like to able to see that you have identified requirements and can link them to the information security management system and demonstrate that you are addressing. The template does it for you but if you write yourself be sure that you can do this.

Top 3 Mistakes People Make

In my experience, the top 3 mistakes people make for ISO 27001 clause 4.2 are

1. You have no evidence that anything actually happened

You need to keep records and minutes and documented evidence.

Recording interested parties that apply and their requirements shows a thorough understand of the requirement and will avoid awkward questions.

Where an interested party and their requirement was identified you are not able to link this to the information security management system and how you address it.

Even if it is something you verbally explain be sure you can demonstrate this and you understand the linkage.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

FAQ

What / who are ISO 27001 Interested Parties?

Interested parties are people or entities that have an interest in how your informations security management system is built and operates. Their interests will shape how you build your management system, how you operate it and how you report on it. Examples of interested parties could include the Information Commissioner or equivalent who has an expectation that you are protecting personal information. Customer and clients may have an interest and very specific requirements on what they expect of you for information security. Internally the business owners and senior management may be interested in ensuring that the management system is efficient and does not harm profitability.

What are the ISO 27001:2022 Changes to Clause 4.2?

There is no real change to ISO 27001 clause 4.2 for the 2022 update. It has clarified that you will now determine which of the identified requirements will be addressed through the information security management system rather than implying it.

What are examples of ISO 27001 interested parties requirements?

Examples of ISO 27001 interested parties requirements would include ensuring the information security management system is operating effectively and protecting the organisation from cyber attack and legal and regulatory breach. Specific customer examples may include how you store, process or transmit their specific information and the controls that you have in place around it. Commercial requirements will come from the organisation owners and senior management teams.

Do I need to formally record and approve the ISO 27001 interested parties and their requirements?

Yes. They should be documented, approved and minuted at a management review team meeting. As part of continual improvement this list will be reviewed and updated at least annually or as significant change occurs. Significant change usually means a new client requirement in the course of business.

Who is responsible for ISO 27001 Clause 4.2?

Senior management are responsible for ensuring that ISO 27001 Clause 4.2 is implemented and maintained.

What are the benefits of ISO 27001 Clause 4.2?

Other than your ISO 27001 certification requiring it, the following are benefits of implementing ISO 27001 Annex A 4.2:
Improved security: You will have an effective information security management system that address people’s needs
Reduced risk: You will reduce the risk to your information security management system by identifying relevant people, their needs and addressing them
Improved compliance: Standards and regulations require context of organisation to be in place
Reputation Protection: In the event of a breach having effectively managed risks to the management system will reduce the potential for fines and reduce the PR impact of an event

Why is ISO 27001 Clause 4.2 important?

ISO 27001 Clause 4.2 is important because it allows you to understand what can impact your information security management system so you can address it. There are actually many people that require things from the management system. Usually that it is secure, meets laws and regulations and doesn’t lead to a data breach. But there are others. By understanding this allows to you to plan for them, mitigate and manage them and as a result increase in the effectiveness of the information security management system in meeting the business objectives and needs.

ISO 27001 Toolkit Business Edition
Do it Yourself ISO 27001 with LIVE EXPERT SUPPORT

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing