top of page
  • Writer's picturevitormaleite

[ISO/IEC 27001 Series] - (Requirement 4.2) - Understanding the needs and expectations of interested parties - Part 04

Updated: May 5


As we described in the earlier article, internal and external issues from the ISMS, we together understand the organization and its context from the fictitious company that we are analyzing “Travel with Me”.


With the internal and external issues in your hands now is time to go on to requirement 4.2.


The ISO/IEC 27001:2022 standard says on 4.2 requirement that the organization must determine:

a) interested parties that are relevant to information security management system;
b) the relevant requirements from these interested parties;
c) which of theses requirements will be addressed through the information security management system (ISMS).

The key word from this requirement is “interested parties". We can say that an interested parties is everyone (persons or organisations) that can affect, be affected by, or perceive themselves to be affected by the ISMS. Knowing this and concentrating on our fictitious company we are analyzing, “ Travel with Me”, revisiting the early article, we have the following interested parties:

Investors

Board Of Directors

Employees

Clients

National Data Protection Authority

Karen (Technology Vendor)

Purposely I omitted some critical partners and providers just to facilitate our analysis but obviously, you should consider all interested parties who can influence or can be influenced by the ISMS. Therefore, other interested parties can be considered, for example: regulatory agencies, certification bodies, competitors, companies from the same group, companies that share the same building, service providers, media...


If I already know all the interested parties (Requirement 4.2 a), we now need to declare all the needs and expectations of these interested parties (Requirement 4.2 b). In this way, our table will look like this:

Interested parties

Needs and expectations

Investors

They expect proactive commitment from everyone to information security and data protection to preserve the company's long-term reputation and sustainability

Board Of Directors

They expect that the ISMS brings a solid base to protect the company’s information assets, reducing risks, ensuring legal compliance, effectively incident response, promoting an information security and data protection culture.

Employees

It expects that their personal data be handled securely, as well as receive regular training and awareness campaigns

Clients

It expects confidence, transparency and assurance to protect their personal and sensitive data

National Data Protection Authority

It expects the organization to demonstrate commitment to personal data protection and implement effective controls to ensure compliance with Brazilian Data Protection Law and with information security in general.

Karen

Karen is the main provider of “Travel with Me”  main critical system in the SaaS model, establishes in their use terms and contract that the agency, as a client, is responsible for managing and utilizing the system, ensuring access control to the data stored, for managing security configurations available and for providing training to users and ensuring compliance to internal policies and regulations.

And finally, to meet requirement 4.2 “c”, we can, for example, add one more column, how the requirement will be met. It would look something like this:

Interested parties

Needs and expectations

Requirements will be addressed through the ISMS?

Investors

They expect proactive commitment from everyone to information security and data protection to preserve the company's long-term reputation and sustainability

Yes

Board Of Directors

They expect that the ISMS brings a solid base to protect the company’s information assets, reducing risks, ensuring legal compliance, effectively incident response, promoting a information security and data protection culture.

Yes

Employees

It expects that their personal data be handled securely, as well as receive regular training and awareness campaigns

Yes

Clients

It expects confidence, transparency and assurante to their personal and sensitive data

Yes

National Data Protection Authority

It expects the organization to demonstrate commitment to personal data protection and implement effective controls to ensure compliance with Brazilian Data Protection Law and with information security in general.

All information security issues will be sustained by the ISMS but the privacy requirements mandated by Brazilian Data Protection Law will be fullfilled through  the internal privacy program which will be maintained in parallel to the ISMS

Karen

Karen is the main provider of “Travel with Me”  main critical system from in the SaaS model, establishes in their use terms and contract that the agency, as a client, is responsible for managing and utilizing the system, ensuring access control to the data stored, for managing security configurations available and for providing training to users and ensuring compliance to internal policies and regulations.

Yes

This way, we concluded requirement 4.2 and in the next article, we will consolidate everything will discussed until now, formalizing the ISMS scope. See you soon! : )


Source Reference: ISO/IEC 27001:2022 e Chris Hall

0 views0 comments

Comments


bottom of page