As we described in the earlier article, internal and external issues from the ISMS, we together understand the organization and its context from the fictitious company that we are analyzing “Travel with Me”.
With the internal and external issues in your hands now is time to go on to requirement 4.2.
The ISO/IEC 27001:2022 standard says on 4.2 requirement that the organization must determine:
a) interested parties that are relevant to information security management system;
b) the relevant requirements from these interested parties;
c) which of theses requirements will be addressed through the information security management system (ISMS).
The key word from this requirement is “interested parties". We can say that an interested parties is everyone (persons or organisations) that can affect, be affected by, or perceive themselves to be affected by the ISMS. Knowing this and concentrating on our fictitious company we are analyzing, “ Travel with Me”, revisiting the early article, we have the following interested parties:
Investors |
Board Of Directors |
Employees |
Clients |
National Data Protection Authority |
Karen (Technology Vendor) |
Purposely I omitted some critical partners and providers just to facilitate our analysis but obviously, you should consider all interested parties who can influence or can be influenced by the ISMS. Therefore, other interested parties can be considered, for example: regulatory agencies, certification bodies, competitors, companies from the same group, companies that share the same building, service providers, media...
If I already know all the interested parties (Requirement 4.2 a), we now need to declare all the needs and expectations of these interested parties (Requirement 4.2 b). In this way, our table will look like this:
Interested parties | Needs and expectations |
Investors | They expect proactive commitment from everyone to information security and data protection to preserve the company's long-term reputation and sustainability |
Board Of Directors | They expect that the ISMS brings a solid base to protect the company’s information assets, reducing risks, ensuring legal compliance, effectively incident response, promoting an information security and data protection culture. |
Employees | It expects that their personal data be handled securely, as well as receive regular training and awareness campaigns |
Clients | It expects confidence, transparency and assurance to protect their personal and sensitive data |
National Data Protection Authority | It expects the organization to demonstrate commitment to personal data protection and implement effective controls to ensure compliance with Brazilian Data Protection Law and with information security in general. |
Karen | Karen is the main provider of “Travel with Me” main critical system in the SaaS model, establishes in their use terms and contract that the agency, as a client, is responsible for managing and utilizing the system, ensuring access control to the data stored, for managing security configurations available and for providing training to users and ensuring compliance to internal policies and regulations. |
And finally, to meet requirement 4.2 “c”, we can, for example, add one more column, how the requirement will be met. It would look something like this:
Interested parties | Needs and expectations | Requirements will be addressed through the ISMS? |
Investors | They expect proactive commitment from everyone to information security and data protection to preserve the company's long-term reputation and sustainability | Yes |
Board Of Directors | They expect that the ISMS brings a solid base to protect the company’s information assets, reducing risks, ensuring legal compliance, effectively incident response, promoting a information security and data protection culture. | Yes |
Employees | It expects that their personal data be handled securely, as well as receive regular training and awareness campaigns | Yes |
Clients | It expects confidence, transparency and assurante to their personal and sensitive data | Yes |
National Data Protection Authority | It expects the organization to demonstrate commitment to personal data protection and implement effective controls to ensure compliance with Brazilian Data Protection Law and with information security in general. | All information security issues will be sustained by the ISMS but the privacy requirements mandated by Brazilian Data Protection Law will be fullfilled through the internal privacy program which will be maintained in parallel to the ISMS |
Karen | Karen is the main provider of “Travel with Me” main critical system from in the SaaS model, establishes in their use terms and contract that the agency, as a client, is responsible for managing and utilizing the system, ensuring access control to the data stored, for managing security configurations available and for providing training to users and ensuring compliance to internal policies and regulations. | Yes |
This way, we concluded requirement 4.2 and in the next article, we will consolidate everything will discussed until now, formalizing the ISMS scope. See you soon! : )
Source Reference: ISO/IEC 27001:2022 e Chris Hall
Commentaires