Interested Parties & Legal Requirements

4.2 Understanding the needs and expectations of interested parties. The organization shall determine: a) interested parties that are relevant to the information security management system; and b) the requirements of these interested parties relevant to information security.   NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations.

The auditor expects always ‘some kind of document’, In your Documentation Toolkit – template Mandatory Topics – we refer how we use the topic in a holistic approach to define the Context & organization. You can refer to that during audit. 

List in this section all your stakeholders to start with and define external and internal stakeholders, that can influence your ISMS. Per stakeholder define if they require

2. ISMS references – what kind of sections/evidence you will collect for these legal requirements.

3. Stakeholder expectations –  state in your own words, what your expectations are to that stakeholder and what they expect from you. 

Examples of stakeholders: 

  • Employees  – 1. labour laws, GDPR  2. HR Controcts templates, Code of Conduct, HW Security Rules etc. 3. we expect that employees comply with all ISMS policies and procedures and Employees expect to be informed what the rules of the organizations are. 
  • Suppliers 
  • Customers
  • Regulator
  • Partners  (e.g. resellers) – 1. GDPR  2. Commercial Reseller Agreements 4. NDA’s 
  • Investors
  • Regulator
  • External Audit party

Start at the beginning with listing and after implementation you can add more information on 2. ISMS references and 3. Stakeholder expectation. 

With this overview you will explore and get more control of  the context your organization is working in. 

Field Value/description Example
Stakeholders select from the drop down menu the stakeholder that applies to your organisation Customers
Legal requirements free text field  GDPR
ISMS Reference free text field GDPR Assessment, Privacy Policy, Privacy Statement
Stakeholders expectations free text field For all End-Users (in and out of EU) there is expectation to follow the GDPR. There might be additional expectation of another privacy guidelines and regulation from customers from specific countries outside EU.

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.