What is ISO 27001 Clause 4.2?
Clause 4.2. of the requirements for ISO 27001 is about 'Understanding the needs and expectations of your organisation's interested parties' and is a really important part of ISO 27001.
Much like ISO clause (4.1) on internal and external issues, you are not given a great deal of guidance around interested parties so let's address that and give some firmer foundations from which to build the information security management system on.
What is an Interested Party when it comes to ISO 27001?
At its simplest, an interested party is a stakeholder - someone, a group or an entity with an interest in your ISMS (or perhaps the organisation itself).
You should be able to easily identify many of your interested parties after having completed the internal and external issues that impact the intended outcomes of the information security management system.
These will include staff, suppliers, customers, shareholders, directors, prospects, board members, competitors, legislators and regulators, unions etc.
Interested parties are not always the obvious ones too - for example hackers and related malicious parties might need consideration, as do the media and others depending on the nature of your business and the issues facing it.
However rather than creating a range of one size fits all policies and controls for all your interested parties, it is better to look at those interested parties in terms of their power, interest and support - in simple terms this is about their ability to affect your approach to the ISMS.
Then you can develop suitable approaches to demonstrate you have their needs covered (and of course yours where its a possible saboteur too!)
As an example if you had a customer that demands you invest in ISO 27001 and build an independently certified ISO 27001 ISMS would you do that if they were a very small non-influential player? You'd probably think again if that customer was one of many you wanted to win, or a large powerful player in its own right.
Would you think about encryption if it was not a regulation requirement for GDPR - legislators and regulators (supervisory authorities) are a powerful 'keep satisfied' stakeholder you need to consider and show that you have their interests addressed!
How to do Interested Party & Stakeholder Management for ISO 27001?
Whether you choose to do something basic in a document or a spreadsheet, we'd encourage the 4 box type thinking to help you make better decisions around where to invest limited resources for the best ISMS outcomes.
Who are the Interested Parties to Keep Satisfied for an ISO 27001 ISMS?
If a stakeholder is high power and low interest, you should be thinking of that individual or group as a 'keep satisfied' stakeholder. Ask yourself, what will you do in your ISMS with policies and controls to keep them satisfied?
In this high power and low interest area, you might see organisations like legislators and regulators, very powerful customer groups, shareholders etc. There may also be external auditors and other industry bodies who can affect your business success.
Their interest is quite low on a day to day basis, but their power to affect your business goals is high so they need to be kept satisfied - usually from a distance and having an independently certified ISO 27001 certificate goes some way to addressing their needs.
The very powerful interested parties for information assurance such as regulators may also prescribe specific ways of working - GDPR and the Data Protection Act being very current examples.
Considering other interested parties needs for a successful ISO 27001 ISMS
If an interested party has both high interest and high power, we would call them a key player. These stakeholders should be actively involved. Your senior management team, key department heads, boutique critical suppliers etc. will likely fall into this category. You might actually have some of your intimately engaged important customers in this category. They may be very interested in how you are working day to day as it also impacts them too.
It is easy to create long lists of stakeholders to consider but be wary of spending too long on the ones with lower power. Those with lower power and higher interest are in need of keeping informed but may not need to be consulted on what your ISMS covers - you may just need to tell them otherwise they could be a big suck on your time and investment budget!
Also, be careful about simply dumping stakeholders you don't like in the lower power buckets - we saw this happen in one firm. They paid for it later because the stakeholder was actually quite powerful and delayed them achieving their goals because their requirements were not prioritised.
Combining this interested parties and stakeholder work with the internal and external issues you have identified in 4.1 helps lead towards a better understanding of where threats and opportunities might stem from in your information security management system.
That coupled with the scope of your ISMS (4.3) leads towards a much more logical and business-led approach to the risk assessment in 6.1 and much greater information assurance with policies and controls that your staff and stakeholders will value and embrace.