How to Meet the ISO 27001 Requirements Around Interested Parties

Who are your interested parties?

First and foremost you will need to understand who or what is considered an ‘interested party’.  As per Clause 4.2 of ISO 27001, you are required to determine interested parties that are relevant to the information security management system.  The context of your organisation will provide a framework for identifying the various individuals and entities that have a stake in the operations, performance, and outcomes of your organisation and are, therefore, interested parties.

As there are internal and external factors that shape your organisation’s strategies, there are also internal and external interested parties. Examples of interested parties internal to the organisation include executive members/leaders, employees, and legal and compliance teams. External interested parties can include customers, suppliers, competitors, partners, legal and regulatory bodies, insurance providers, auditors and assessors, media, landlords, etc.  

Relational mapping will help you to visualise the interconnectedness of different parties, and this will require you to thoroughly consider new and existing relationships essential to the organisation, both internal and external.  It is important to remember that you need to not only consider relationships that benefit your organisation, but will also need to consider competitors and influencers which impact business decisions and planning.

‍

‍

What are your interested parties’ needs?

Once you have identified your interested parties, it is important to understand and manage their requirements and expectations, but to do so you will need to establish what those requirements and expectations include.  Expectations can encompass a wide range of factors including quality, service, security, ethical behavior, and social responsibility. Requirements, on the other hand, are more specific and represent mandatory criteria, conditions, or standards that your organisation is expected to adhere to.  By keeping this difference in mind, it will be much easier to determine who requires or expects what from your organisation.

Clause 4.2 of the Standard states that certified organisations need to determine the relevant requirements of the interested parties.  Using the example of a customer as an interested party, their relevant expectations could include maintaining data confidentiality, high data and services availability, and secure data backup.  Meanwhile, their requirements would include compliance with quality and industrial regulations, fulfillment of legal obligations, abiding by a contract or service-level agreement (SLA), etc.  

It is important to note that each of your interested parties’ requirements can vary in nature.  For example, while customers can be categorised as one interested party, government customers might have slightly different security requirements and may need to be catergorised as a separate interested party.  Some sources to collect and understand such interested parties’ needs can be reviews, surveys, feedback, interviews, contracts and agreements, government legal and regulatory requirements, market searches, and industry benchmarks.

‍

How will the interested parties’ needs be addressed, and by whom?

Next, you will need to establish how these requirements and expectations will be addressed through the ISMS.  Based on the requirements and expectations of interested parties, you should define specific, measurable, achievable, relevant, and time bound (S.M.A.R.T) objectives.

If we return to the previous example of a customer as your interested party, you would need to set a few security objectives which are aligned with your customers’ expectations and requirements, such as availability of service, data backup, data confidentiality, etc.  Once the objectives have been set, the next step is to keep track of how to achieve those objectives. Developing metrics such as key performance indicators (KPIs) can help you set a baseline for measuring and monitoring these objectives.  Once KPIs are defined, you will need to set targets to track progress, and benchmarks can be set to elevate target achievement such as data confidentiality > 95 %, data backup > 85%, availability > 95%, etc.  

You will also need to define and allocate roles and responsibilities to individuals who will supervise the work involved in achieving the objectives.  If we again use the example of a customer here, a customer success manager (CSM), IT Support Manager, data protection officer (DPO), etc., would all be appropriate personnel to perform this supervision.  

Periodic reviews are an essential part of evaluating the ISMS’ success and, like with most processes, policies, and procedures, these must be conducted to assess the effectiveness of the objectives set to meet the needs and expectations of your interested parties.  These reviews can be done internally or by a third party, and can be performed through direct contact via service review meetings, customer feedback, periodic checks via email, etc.  The reviews will provide a clear understanding of what went well and what needs to be improved.  

There is a new requirement in Clause 9.3 of ISO 27001:2022 that the management review include considerations of changes in needs and expectations of the interested parties relevant to the ISMS.  This can be a result of risk assessment, incident management, or simply compliance and regulatory change.  These activities will provide valuable evidence for capturing any changes to the requirements of the interested parties and are a source of continual improvement.  

When and what should you communicate with interested parties?

Your information security policies and any changes made to the ISMS will need to be communicated to your relevant interested parties.  Clause 7.4 of the Standard states that you should determine the need for internal and external communications relevant to ISMS including what, when, with whom, and how to communicate.  ‘What’ you need to communicate can include security incidents, supply chain or delivery changes, risks, data breaches, policy changes, moving to or opening a new location that affects the scope of ISMS, etc.  

‘When’ to communicate is crucial, so it may be useful to prioritise the communication of information that will have a significant impact on your organisation if not communicated in time.  This will mostly include security incidents or risk that impacts interested parties’ data or services.

Roles and responsibilities as well as the way information is classified within your organisation will help determine ‘who’ will communicate.  For example, when handling more sensitive information such as data breaches, risk assessments, and security incidents, this can be conveyed by a DPO, human resources (HR), risk manager, line manager or chief information security officer (CISO).  

Finally, you will need to determine ‘how’ you will communicate, which can vary from an email, call, in-person meeting, official letter, web announcement to a team meeting.  Generally, internal communication will take place by email, management review meetings, sprint meetings, team meetings, official web communication channels, etc., while external communication tends to occur via email, phone call, official letter, fax, web announcement, etc.  Regardless of the means, it is imperative to communicate effectively and in time.

By keeping the above steps in mind you can confidently understand and capture the needs of interested parties, and formulate ways to track, measure, and continually improve your management of their expectations and requirements.