Clause 4.2 of ISO 27001 details the needs and expectations of interested parties.
An interested party is essentially a stakeholder – an individual or a group of people affected by your organisation’s information security activities.
To identify your interested parties, ask yourself who is important for your organisation, who is interested in your business activities and who would benefit from you improving your information security.
Examples of interested parties include:
- Employees, who need to understand their security obligations;
- Owners and shareholders of your organisation, as they want to be reassured about the security of their investment;
- Government agencies and regulators, as they impose information security requirements and check that these have been adhered to;
- Customers, as they would appreciate the reassurance that their personal data is safe;
- Media outlets that might publish or broadcast news related to your incidents; and
- Suppliers and partners, which want to know that you applied their requirements and must be made aware of any new contractual requirements related to information security.
Why are interested parties important for your organisation?
Addressing the needs of interested parties will affect your organisation in different ways – and these are often mutually beneficial.
For example, employees and suppliers need to understand how to handle sensitive data, as it will mitigate the risk of security incidents and ensure that your processes become more efficient.
Similarly, the media and customers want organisations to provide transparent explanations about security incidents. Doing this demonstrates that you have a clear understanding of what has happened, the extent of the damage and how you can rectify it.
Providing a clear, concise message helps them understand the facts and protects you from undue criticism.
Indeed, if your response is strong enough, you may counteract the potential reputational damage that a security incident can cause.
Balancing the needs of interested parties
Interested parties’ needs and expectations aren’t always in your best interest.
For example, cyber criminals are technically interested parties, because the stronger your defences are, the harder their job is. However, you obviously don’t want to acquiesce to their needs.
There’s a subtler example of this opposition in your relationship with customers. They generally want to share as little personal data as possible for fear that it will be breached, whereas organisations tend to want as much data as possible.
Learn more about interested parties
It’s only by establishing what interested parties want from you that you can plan accordingly and make sure everyone is satisfied.
You can find out more about identifying and evaluating your interested parties with the help of CyberComply.
This Cloud-based collection of information security software helps you take control of your cyber risk needs in one simple package.
It includes a feature that identifies the relevant legal, contractual and regulatory obligations you need to meet to ensure compliance with the interested parties clause of ISO 27001.