If you already have ISO9001:2015 then Clause 4 of ISO 27001 is going to sound very familiar, and it should, it's pretty much the same clause but with a few, very minor tweaks in wording and the odd reference. That means you can leverage the work that you have already done in your ISO9001:2015 system for use in your ISO27001:2013 Information Security Management System but just look at it through the new lens of Information security. It also means that you are able to create 1 single integrated manual for your 9001 & 27001 systems since they both follow the same structure.
As in ISO9001:2015 Clause 4 of the ISO27001:2013 standard is broken into 4 sections in a bid to make it cleared, for the user which are:
- 4.1 Understanding the Organisation & its Context
- 4.2 Understanding the needs & expectations of interested parties
- 4.3 Determining the scope of the quality management system
- 4.4 quality management system & it's processes
By far the easiest way of looking at this clause is not to follow the order it is written in, it's actually easier to shuffle it a bit and work through them in the order 4.2, 4.1, 4.4 and finally 4.3. Since the sections are quite large in terms of what you should do to cover them, we will split this to separate posts, here we will cover 4.2 next we'll cover 4.1 then 4.4 & 4.3.
If you are looking at knocking out this clause out quickly then I'm going to suggest you just pause a little as it's a really important clause for the whole system and you will need the top management involved to be able to make some of the decisions that you need to be making. Don't think you are going to head off to a meeting room for an hour and knock it out, you won't, allow at least a day to a day and a half for all of clause 4. That said if you already have 9001 it will be quicker but only by about 30 - 50% at most.
Clause 4.2 Understanding the Needs and Expectations of Interested Parties
The standard says that you must determine who the interested parties are with respect to your Information Security management System and what requirements these interested parties have that would be relevant to Information Security.
Those requirements can of course come in a range of ways and that includes legal, regulatory or contractual obligations, NZ for instance has the Privacy Act would certainly factor into this part of the discussions so it's important you are aware of the needs of these things before heading off site to work on the process of crafting the how you will meet Clause 4 of the ISO27001 standard for your ISMS.
If you have a quick look at the ISO27000 Information Security Management Systems Overview and Vocabulary document, it has got definitions of all the terms used in the standard so is quite helpful. It says that an "Interested party is a person or an organisation that can affect, be affected by, or perceive itself to be affected by a decision or an activity" (in this case linked to your ISMS).
Interested parties then are, as the name suggests, anyone who basically has interest in your company, product or service, i.e. stakeholders. That means you should be thinking about quite a few groups, for example there are customers, obviously, but also don't forget your employees, suppliers, contractors, partners, government agencies, the general public and the list goes on. Really encourage the group to rack their brains on this one, it'll surprise you when you see the list!
There is of course a key word there that you also need to factor in, perceive. So others may think they have an interest, even if you don't, who would they be? You need to carefully think about that and include them where possible, as new ones pop up, update your Information Security management System to reflect them, it's a living document after all.
You need to consider if each of these names, organisations or groups actually has an impact or possibly could have an impact in the future on your information security management system or way of working and what that could be, do you need to do anything as a result?.
Once you have that list add next to each name or group what their needs are and then what their expectations of the company are.Documenting the Interested Parties
For myself I find the easiest way to do this is by creating a sheet of paper or on a spreadsheet that's projected up so everyone can see it where we can have it set up in columns as follows:
- Organisation name
- Relationship to the organisation (e.g. customer, employee, supplier, partner, influence and so on)
- Impact now - Low, Medium & high type of impact,
- Needs / Expectations
- Actions Required to ensure needs are met
- Ranking (from grid)
By plotting your interested parties onto a grid like the one shown here you can create a good understanding of how much they impact your systems and how much time you need to put into managing them.
There result should be a table like that shown below
| Organisation | Relationship | Impact | Needs / Expectations | Actions Required | Ranking |
| Joe Bloggs Inc | Customer | High | Confidential Documents are not publicly available to protect IP | All documents held in secure location with limited access | High |
| Privacy Commission | Government Body (Legal) | High | Meet all NZ Legal requirements of Data Privacy | Notification of breaches or potential breaches | High |
By taking the time to do these steps you should be able to not only clearly understand who impacts your Information Security Management System, and how, but also create plans on what you need to do to manage or avoid those impacts. Should the unthinkable happen and there be an issue with your ISMS you will also know what is required to be done and who to tell.
Of course, another by-product of this is the ability to demonstrate this to anyone who wants to audit or understand it.