ISO 27001 Interested Parties are the stakeholders in the Information Security Management System. Interested parties can be people, groups, entities, customers, regulators and the law.

Interested parties and the ISMS

The role of interested parties in the information security management system (ISMS) is significant. In summary, they ensure that the ISMS is designed to meet the diverse requirements of the stakeholders. Additionally, they make sure all impacts on information security are considered and addressed. Consequently, the involvement of interested parties is essential for achieving compliance, implementing an effective management system and attaining ISO 27001 certification.

Examples of ISO 27001 Interested Parties

Interested parties ISO 27001 examples include:

Executive Board and Shareholders who require

  • legal and regulatory compliance
  • the avoidance of data breaches
  • the avoidance of fines
  • protection of the organisations reputation
  • and commercial advantage for tender and sales.

Customers who need

  • legal and regulatory compliance
  • as well as products and services that are fit for purpose
  • and the avoidance of data breaches

Employees who want

  • to ensure legal and regulatory compliance
  • to implement and run the ISMS
  • to be trained in information security
  • to work in safe environment
  • and not be constrained by undue bureaucracy

Suppliers who have to

  • understand what is required of them
  • as well as meeting legal and regulatory obligations

Regulators who

  • ensure that rules for information security are set and implemented to protect people and data

How to identify interested parties

To identify ISO 27001 interested parties:

  • Stakeholder analysis: conduct a traditional stakeholder analysis
  • Brainstorm: hold a brainstorming session with representatives from all areas of the organisation
  • Review of legal and contractual requirements: review your legal register, contracts and consult with a legal professional to understand all legal, contractual and regulatory requirements that must be met and who has an interest in the ISMS.

ISO 27001 Interested Parties and Scope

It is vital to get the scope of the information security management system and your ISO 27001 scope right. This will have a direct influence on the interested parties as the scope is what the information security management system applies to.

Ongoing Review

As interested parties change over time they should be assessed on a periodic basis. It is recommended that interested parties are reviewed and updated at least annually.

Documenting Interested Parties

Interested parties and their needs and expectations must be documented for ISO 27001 compliance. In addition documenting them will provide clarity and ensure that non are missed.

Essential Documentation for Compliance

Documentation required to demonstrate compliance includes

  • A register of interested parties, their needs and expectations and how the information security management addresses those needs.

The Roles of ISO 27001 Interested Parties

Other than having requirements, interested parties can also play and key role in the development and ongoing management of the informations security management system.

  • Involve them in the creation and sign off of information security policies.
  • Update them and maintain regular communication including receiving feedback.
  • Leverage their influence to get things done.

Interested Parties and ISMS Objectives

The objectives for the information security management system, once documented, should be shared with and agreed by the interested parties as appropriate and relevant to ensure strong commitment and an effective ISMS.

Managing Interested Parties Conflict

It is rare that the needs and expectations of interested parties will conflict but it can happen. This is when competing interesting arise. To manage conflict of interest you may require the support of a senior stakeholder but consider:

  • Prioritisation of interests based on legal, regulatory and contractual requirements.
  • Broker a meeting with conflicted parties and seek conflict resolution.
  • Document meetings and decisions that are made and share them with the management review team for agreement and sign off.