ISO 27001 – Understanding & Communicating with Stakeholders

Guide to ISO 27001_part 4_stakeholders_blog header

In our Guide to ISO 27001, we have explained how an engaged leadership team is vital to your compliance project, how system Scope and the Statement of Applicability will create the boundaries for your policies and controls, and lastly, we discussed all of ISO 27001’s mandatory clauses. Next, we will take a deeper look at specific requirements that can dictate your project’s success – understanding and communicating with stakeholders.

Understanding your stakeholders’ needs and expectations is paramount to implementing an ISO 27001 compliant information security management system (ISMS). The critical idea is to expand the requirements to explain how their implementation, in practice, can have a lasting positive impact on your organization.

Understanding the Interested Parties

Clause 4.2 of ISO 27001 is concerned with “understanding the needs and expectation of interested parties” and is a compulsory requirement when creating a compliant ISMS. The clause is described in the Standard as:

ISO 27001:2013 – 4.2 Understanding the needs and expectations of interested parties

The organization shall determine:

a) interested parties that are relevant to the information security management system; and

b) the requirements of these interested parties relevant to information security.

Similar to what we have already discussed in Part 1 of our Guide to ISO 27001, whenever you initiate an ISO project, you must identify and understand who your stakeholders are: either as a primary, or secondary source of information. Fully understanding the needs and expectations of interested parties dictates the course of your ISMS and ultimately influences the end result.

A few examples of who these stakeholders may be include:

  • Staff
  • Top management
  • Clients
  • Competitors
  • Industry Associations
  • Governments

External requirements can easily be translated into contractual and regulatory obligations. Clients and prospects usually have clear expectations in relation to data security and controls that must be in place, as well as product features they would like to see your organization develop. Keeping organized records on how you document these requirements is key to continually improving your services and security.

Based on ISO 27001, the best approach in understanding your interested parties would be to:

  • Create a digital repository where you must log all opportunities for improvement and legal requirements
  • Associate the requester to each entry
  • Assign ownership to the necessary deployments
  • Establish an Action Plan
  • Define the due date for each item based on priorities
  • Review this list at planned intervals with top management

Communication Is Key

Effective communication with stakeholders and efficient management of that communication is one way to expand upon Clause 4.2’s requirements as described above. You can create a Communication Management Matrix to list and categorize internal and external stakeholders by topics of interest, objectives, and level of engagement.

● Monitoring expectations
● Keeping them informed
● Actively managing responses to new product features and changes
● Measuring the level of power and interest

Stakeholder and Communication Management are core processes to help you learn about your interested parties and understand the context of your security controls and company. It also helps you engage with the people and organizations that can assist you in mitigating risks and exploiting opportunities.

Understanding and Communicating with Stakeholders

Engaging with internal and external stakeholders and creating a structured communication process with them is paramount in the development of an ISO 27001 complaint ISMS. Your Information Security Management System must document expectations and the appropriate action plan for each stakeholder.

The success of your ISO 27001 initiative is directly related to your ability to converse and listen.

Being transparent with interested parties is an outcome of effective stakeholder communication and management and adds value to your organization while functioning as a control that satisfies clause 4.2.

In part 5 of our Guide to ISO 27001 Compliance, we jump into risk management: discussing the risk management process and how to approach and define it.

How Can StandardFusion Help?

With StandardFusion, you can create a centralized list of tasks associated with Opportunities for Improvement. You can also assign ownership and due dates to each specific task as part of a wider initiative. StandardFusion’s Task Dashboard allows users to filter tasks based on specific categories (risks, opportunities, dates, owners) for improved control. Develop supporting reports and policies from the ground up, and provide management with exceptional visibility. Make the most of technology and learn how to use an automated, single source of truth to manage your tasks, procedures, and stakeholders within your ISO program using Standardfusion. 

Part 1 – Implementation & Leadership Support

Part 2 – Establishing Scope and Creating the Statement of Applicability

Part 3 – Mandatory Clauses

Part 4 – Needs and Expectations of Stakeholders

Part 5 – Risk Management

Part 6 – Defining Controls

Part 7 – Competence, Training and Awareness

Part 8 – Monitoring Efficacy