Early on in the ISO27001:2013 standard, page 1 section 4.2 to be precise, is ‘Understanding the needs and expectations of interested parties’. An organisation needs to determine the parties relevant to their information security management system (ISMS) and what requirements they could have for information security. The standard helpfully notes that requirements may include legal and regulatory requirements and obligations.
Start with the internal parties. They will include your staff, contractors, and shareholders. Then move on to thinking about external parties. They will include clients, potential clients, business partners, suppliers, insurers, trade associations and regulatory bodies. Emergency services can also be included, they will be interested in respect of your health and safety regulations and fire safety.
Adding details of what each party expects gives you a high-level view of how information security has an impact on a business. Here are some (partial) example….
Staff
Terms & conditions
Safe working conditions
Continuity of employment
Client
ISO 27001 Compliance
99% availability of systems
Meeting SLAs (1hr response for critical issues etc.)
And remember that 5.2 of the standard says that the information security policy shall “be available to interested parties, as appropriate”. So make it available to them.
Get in touch for advice on how to prepare for ISO27001
e: ian.grey@wadiff-consulting.co.uk
t: +44 (0)7941 188462