Understanding the Needs and Expectations of Interested Parties for ISO 27001 Information Security
ISO 27001 Clause 4.2
This sub-clause requires the organisation to identify the interested parties relevant to the ISMS and the requirements they bring, including legal, regulatory and contractual obligations.
ISO 27001 Clause 4.2 - Understanding the Needs and Expectations of Interested Parties
Clause 4.2 is the second half of the context analysis. Clause 4.1 looks at issues. Clause 4.2 looks at people and organisations. The clause asks who has an interest in how the organisation manages its information, what they expect, and which of those expectations the management system needs to deliver against.
What ISO 27001 Clause 4.2 Requires
The clause has three requirements. The organisation must determine the interested parties that are relevant to the information security management system, the relevant requirements of those interested parties, and which of those requirements will be addressed through the ISMS. The standard does not require the analysis to be documented but most organisations capture it in an interested parties register.
An interested party is anyone or any organisation that can affect, be affected by, or perceive itself to be affected by the information security management system. The clause is about identifying them and being clear about their expectations, not about doing whatever they ask.
Who the Interested Parties Usually Are
For most organisations the relevant interested parties for an ISMS will include some or all of the following: customers and clients, employees, owners and shareholders, regulators, certification bodies, suppliers and subcontractors, business partners, and in some cases members of the public whose data is held. The list is not fixed - the relevant parties depend on the nature of the organisation and the information it holds.
Regulators are particularly important for ISO 27001. In the UK that includes the Information Commissioner's Office (ICO) for personal data, sector-specific regulators like the Financial Conduct Authority (FCA) for financial services, and the National Cyber Security Centre (NCSC) as the technical authority on cyber threats. Customers in regulated sectors will often pass their own regulatory obligations on through contractual requirements.
Identifying the Requirements That Apply
The relevant requirements of interested parties usually fall into three groups. Legal and regulatory requirements such as UK GDPR, the Data Protection Act 2018 and sector-specific rules. Contractual requirements such as customer information security clauses, supplier obligations and certification commitments. Other reasonable expectations, such as supplier code-of-conduct adherence or staff expectations around how their personal data is handled.
The interested parties register pulls these together in one place. Each entry typically records the party, the type of relationship, the relevant requirements and how the management system addresses them. The register links across to Clause 4.3 (scope), Clause 6.1 (risks and opportunities) and the legal register.
Keep this list practical. Every supplier, every customer, every staff member is technically an interested party. The clause asks for the ones that are relevant to the management system. If a party is not affecting, or affected by, the way you manage information security, leave them off.
Two requirements that very often turn up in this register are the requirements of major customers and the requirements of the certification body. Customer security questionnaires and contract clauses become the input. The certification body's expectation that you keep your certification valid is also a legitimate item to record.
I look at the interested parties register early in the audit. I am checking that the requirements identified are actually being addressed somewhere in the management system. If a customer requires data to be encrypted at rest and there is nothing in the controls about that, the link from 4.2 to the rest of the system has broken down. The register is not a wish-list, it is a contract with yourself.
Practical Compliance Guidance
The interested parties register is one of the foundation documents of the management system. It is reviewed at management review and updated whenever the organisation gains a significant new customer, supplier, regulator or contractual obligation.
The documents below support the identification and management of interested parties for an ISO 27001 information security management system.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | Complete documentation set for ISO 27001:2022 including the IMS1 Manual and all supporting registers. |
| F-IMS22 Interested Parties Register | Records each interested party, their requirements and how the management system addresses them. Used as the master reference for Clause 4.2. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
The following UK legislation creates obligations that typically appear in the interested parties register through regulator and customer requirements.
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Network and Information Systems Regulations 2018
- Privacy and Electronic Communications Regulations 2003
