As we often say, information security is everybody’s business. We need to identify and understand the needs of this world.

Photo by Matheus Ferrero on Unsplash

Clause 4.2 of the ISO 27001 standard on information security calls for stakeholders to be identified, as they have a significant ***impact ***and above all an interest in the organization’s information security management system (ISMS).

Step 1-clause 4.2 a) identify stakeholders

Stakeholders are the people or groups who have an interest in or influence on an organization, and especially on the ISMS program. Stakeholders can include employees, customers, suppliers, shareholders, business partners, governments, local communities, associations and other groups who have an impact on the organization or are affected by its activities.

To help you identify these stakeholders, here are a few steps to take you around the organization:

  1. Examine the organization’s business processes and identify the groups and/or organizations that are affected by or have an influence on these processes.
  2. The organization’s assets, and by determining who is responsible for these assets or who may be affected by their security.
  3. Identify potential risks to the organization and determine which groups and/or organizations are affected by or have influence on the management of these risks.
  4. Identify the laws, regulations and standards applicable to the organization and determine who is or will be responsible for compliance or who may be affected by regulatory requirements.
  5. Identify past information security incidents and determine who was affected by them or who helped manage them.

Typical stakeholders include employees, suppliers, customers, shareholders, management, governments and any other person or organization with an interest in the organization’s information security.

Step 2- clause 4.2 b) determine their requirements

Here are a few methods to help determine the stakeholder requirements defined in step 1 above:

  1. Organize individual or group interviews with stakeholders to understand their information security needs, expectations and requirements.
  2. Send surveys to stakeholders to gather their opinions and comments on information security.
  3. Examine potential risks to the organization and identify those who are affected or who can influence the management of these risks, so that the scope covers these risks.
  4. Identify and analyze the rules that apply to stakeholders and determine their information security needs.

It’s important to note that stakeholder requirements can vary according to their role and relationship with the organization, so it’s important to identify and deal with them individually. Each stakeholder has specific needs in terms of safety and risk tolerance. These are documented individually for each stakeholder.

Here are a few examples of requirements that stakeholders may have with regard to information security:

  1. Employees can demand secure access to the data and applications they need to perform their jobs, as well as information security training to help them protect the organization’s data.
  2. Customers may require that their personal and financial data be protected against loss, leakage or unlawful use.
  3. Business partners may require that the organization’s confidential data be protected against unauthorized disclosure.
  4. Shareholders may require that the organization’s financial data be protected against manipulation or unauthorized disclosure.
  5. Regulators and government authorities may require the organization to comply with specific information security regulations, such as the protection of personal data or compliance with industry standards.
  6. Local communities may require that environmental and health data be protected from unauthorized disclosure.

Step 3 – clause 4.2 c) determine which stakeholder requirements will be covered by the ISMS

Finally, the organization must formally determine whether the requirements of its stakeholders will be covered by the information security management system (ISMS), or whether certain elements will be excluded from coverage.

In an ideal world, all these stakeholders’ needs will be covered, which makes the task of determining coverage much easier. But beware, this represents a commitment by the organization to its stakeholders, as a kind of implicit contract.

Success criteria

In order to determine whether we have complied with clause 4.2 of ISO27001, here are a few questions an auditor might ask:

  • Who are the stakeholders?
  • What are their needs?
  • What needs won’t be covered by ISMS?
  • How did you determine stakeholders’ needs?
  • Show me the document describing your answers.

I invite you to click on “Follow” to continue learning more about the field of information security.