Ded er oe
ISO 27001:2022 Clause 4.2 Understanding
The Needs And Expectations Of Interested
Parties — Certification Guide
OT Os aay
Introduction cat st a On
In this article | ay bare ISO 27001 Clause 4.2 Understanding The Needs And Expectations ve
Of Interested Parties
Using over two decades of experience on hundreds of ISO 27001 audits and 1SO 27001 pec conse ans
corti am ging to show you what new, ive you ets, chow you example
and ao awatatoush Ew
In this IS 27001 certincation guide | show you exactly what changed in the ISO
27001:2022 update.
{lam Stuart Barker the SO 27001 Ninja and this is ISO 27001:2022 Clause 4.2
Table of contents
Introduction
What is ISO 27001:2022 Clause 4.2 Understanding the needs and
expectations of inter
What isthe requirement of ISO 27001:2022 Clause 4.2?
What are the ISO 27001:2022 Changes to Clause 4.2?
What does the standard say about ISO 27001:2022 Clause 4.22
led parties?
How to identiy interested parties
How to identify interested parties requirements
1S0 27001 Clause 4.2 Interested Parties Example
180 27001 Clause 4.2 Template
+ 180 27001 Context of Orga
Fully Populated
180 27001 Clause 4.2 FAQ
+ How to comply with ISO 27001 clause 4.2
lon Template
What is ISO 27001:2022 Clause 4.2 Understanding the
needs and expectations of interested parties?
180 27001:2022 Clause 4.2 is an ISO 27001 standard requirement. Cortiying to ISO 27001
or Implementing ISO 27001 means you are going to have to satisfy this ISO 27001 clause,
What is the requirement of ISO 27001:2022 Clause 4.2?
‘The 80 27001 clause 4.2 forms, as you would expect, part of ISO 27001 Clause 4 Context
of Organization. In clause 4.1 we looked at understanding the organisation and its context
hich broke down into identifying internal and extemal issues, Here we are going to look at
the needs and the expectations of interested parties. Specticaly we are looking at people
that might have an intrest inthe effectiveness ofthe information security management and
what their actual requirements are.
This is another quick win as the same interested patios come up time and time again and
their requirements rarely change, irespective ofthe business you are in. That is why we
wore able to pre populate our Context of Organisation Template leaving ite if any work to
do other than review it.
What are the ISO 27001:2022 Changes to Clause 4.2?
“There is no real change to 180 27001 clause 4.2 for the 2022 update. It has clarified that
you will now determine which ofthe identified requirements will be addressed through the
information security management system rather than implying it
What does the standard say about ISO 2700!
Clause 4.2?
180 27001:2022 defines clause 4.2 as:
The organisation shall determine:
2) interested parties that are relevant to the information security
management system
+) the requirements of these interested parties
) which of these requirements will be addressed through the
Information security management system.
ISO 27001:2022 Clause 4.2 Understanding The Needs And
Expectations Of Interested Parties
How to identify interested parties
Interested partes is just another way of saying stakeholders, You could do a traditional
stakeholder analysis. This depends really on if you are wanting to do it right or just pass the
180 27001 certification. You really don't have to over think it. Just think about who might
have an interest in your information security management system actually working and
doing its intended job. Ask around, ask colleagues, ask management. You can downoad
‘ur Context of Organisation Template or oF you can copy our list below.
How to identify interested parties requirements
(Once you have identified thom, you can try asking thom. As noted these como up time and
time again though and are pretty standard. If you don't want to go tothe effort of asking you
‘ean download our Contoxt of Organication Tomplate or copy our ist below and just verity it
1SO 27001 Clause 4.2 Interested Parties Example
Interested Party Requirements Relevant to ISMS
+ Legal and Regulatory Compliance
“Avoidance of data breach,
+ Avoidance of fines,
Executive Board
+ Commercial advantage for tender and
sales
“To protect the company reputation
+ Legal and Regulatory Compliance
+ Avoidance of data breach
+ Avoidance of fines,
‘Shareholders
+ Commercial advantage for tender and
sales
“To protect the company reputation
+ Legal and Regulatory Compliance
“+ To understand, implement and follow the
‘goverance framework.
+o be trained in the information security
management system
Employees
‘To have appropriate and adequate
protection of employee and customor data
“To be able to conduct thelr role without
undue bureaucracy.
“+ To workin a safe environment
Information Commissioners Office and
+ Legal and Regulatory Compliance
Regulators “si ‘oulatony Compl
+ Legal and Regulatory Compliance
Law Enforcement Agencies : °
+ Timely co-operation on investigations
+ Legal and Regulatory Compliance
Customers + Products and services fit for purpose.
“Avoidance of data breach
+ Legal and Regulatory Compliance
+ Current appicable contracts for products
and services,
Insurers
‘+ Current applicable contracts covering an
Understanding of any information security
requirements,
+ No negative or adverse impact from
Local Residents,
physical and environmental security
ISO 27001 Clause 4.2 Template
“The ISO 27001 Context OF Organ
27001 Clause 4.2 and s pre written with common examplas to fast track your
ation template fully s
fies the requirements of ISO
Implementation. it quickly and effectively salisfes the needs of the clause.
ISO 27001 Context
of Organisation
Template
Fully Populated
Part of the ISO 27001 Templates Toolkit but also available to download individually.
PoiveursNS AVE
over
£10,000
Interested parties are people or entities that have an interest in how your informations
‘and operates. Their interests will shape how you build
your management system, how you operate it and how you report on it. Examples of
security management system is b
Interested parties could include the Information Commissioner or equivalent who has an
expectation that you are protecting personal information. Customer and cliants may have
{an interest and very specitic requirements on what they expect of you for information
‘security. Intemally the business owners and senior management may be interested in
ensuring that the management system is efficient and does not harm profitability.
What are examples of ISO 27001 interested parties requirements?
Examples of ISO 27001 interested parties requirements would include ensuring the
information security management system is operating effectively and protecting the
organisation from cyber attack and legal and regulatory breach. Specific customer
‘examples may include how you store, process or transmit their specific information and the
controls that you have in place around it. Commercial requirements will come from the
‘organisation owners and senior management teams.
Do I need to formally record and approve the ISO 27001 interested parties and their
requirements?
Yes, They should be documented, approved and minuted at a management review team.
‘meeting. As part of continual improvement tis list wil be reviewed and updated atleast
annually or as significant change occurs, Significant change usually means a new client
requirement in the course of business.
How to comply with ISO 27001 clause 4.2
How to comply with ISO 27001 clause 4.2 Understanding the needs and expectations of
intorosted partios
1. Kdentify 180 27001 Interested Parties,
Identify and record those people and enttes that have an interest inthe information
‘security management. Consider using a traditional stakeholder analysis. You can
brainstorm amongst company peers, including senior management and business
‘owners the lst of interested parties. Examples and a standard list are provided pre
ttlon and pre populated in the Context of Organisation template,
2. Identify the ISO 27001 interested parties requirements
The requirements of the [0 27001 interested can be found in legal contracts, the
law ofthe land, by asking peers in the organisation including senior management
{and business owners. Examples and a standard list are provided pre written and pre
populated in the Context of Organisation template.
3. Document both the ISO 27001 interested parties and their requirements
Formally document the list of ISO 27001 interested parties and their requirements,
4, Approve and sign off the list of ISO 27001 interested parties and thelr
requirements
‘Share the documented list of interested parties and their requirements formally atthe
management review team meeting. Get acceptance from the group and recordin the
‘minutes of the meeting that this was reviewed and accepted.
ISO 27001:2022 Certification
Requirements
What's naw, ISO 27001 templates, examples and walkthrough for each ISO 27001-2022
Annex A Clause.
1!S0 27001 2022 Clause 41 Understanding The Organisation And ts Content
SO 27001 2022 Clouse 42 Understanding The Needs And Expectations Of Interested Parties
1001 2022 Clsuse 43 Determining The Seope Of Te information Securty Management System
|'S0 27001-2022 Clouse 44 information Security Management System (SMS)
150 27001 2022 Claus 51 Leadership And Commitment
|'S0 27001 2022 Cause 52 formation Security Polley
|S0 27001-2099 Clause 53 Organisations! Roles, Responsiblities And Authorities
180 27001 2022 cieuse 6 Planning
004-2022 Clause 61 Planning General
|'S0 27001 2092 Clouse 612 Information Seeurty Rik Assessment
|S0 27001-2022 Clause 61.9 Information Security Risk Treatment
|!S0 27001 2022 Cause 62 Information Security Objectives And Planning To Achieve Them
0% 2022 Clause 71 Resources
150 27001 2022 Clause 72 Competence
180 27001 2022 Clase 73 Awerenees
180 27001-2029 Cause 74 Communication
|'S0 27001-2029 Couse 751 Decumented Information
180 27001 2022 Clause 75 2 Creating And Updating Documented Information
2022 Gluse 753 Control Of Documented Information
2022 Cisse 8.1 Operational Planning nd Control
12002 Cis 8.2 information Sacurty Riek Assessment
180 27001-2009 Clause 09 information Security Risk Treatment
150 27001-2022 Cause 91 Monitoring, Measurement, Analysis, Evaluation
180 27001-2099 Clause 92 internal Aue
180 27001 2002 Clause 88 Management Reviews:
|S0 27001-2099 Clause 10.1 Continusl Improvement
|'S0 27001-2022 Clause 10:2 Non Conformity and Corrective Action
Read Next
+ 18027001 Certification up to 10x F
The Ultimate ISO 27001 Toolkit
ter and 30x Cheaper
+ 180 27001 Explained Simply
+ 1S0.27001 Cortifcation: The Ultimate Guide to Success
+ 180.27001 Reference Guide
+ 180 27001 Annex AReference Guide
FREE 30 Claim your
minute 10%
ISO FREE no
27001 292%
strategy" b
session. °°"
session
call (£1000
value)
This is
strletly for Cd
‘smal Dood
businesses: Cy
who are
hunary to
get SO
27001
certified up
to 10x
fastor and
30x
cheaper,
Related Posts
'S0 27001 Clause 10.1 15027001 Clause 10.2
Continual improverent -— Nonconformity And:
Cariication Guide Corrective Action —
Certification Guide
15027001 Clause 93 15027001 Clouse 22
Management Review- —_nteznol Audit ~
Ceniiiéation Guide Ceniifcation Guide
Bee ered
Ber aay
Eo
i pote
ores
Dead