Interested Parties & Legal Requirements
4.2 Understanding the needs and expectations of interested parties. The organization shall determine: a) interested parties that are relevant to the information security management system; and b) the requirements of these interested parties relevant to information security. NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations.
The auditor expects always ‘some kind of document’, In your Documentation Toolkit – template Mandatory Topics – we refer how we use the topic in a holistic approach to define the Context & organization. You can refer to that during audit.
List in this section all your stakeholders to start with and define external and internal stakeholders, that can influence your ISMS. Per stakeholder define if they require
1. Legal requirements – any standards – laws or contracts that apply or need to be complied with.
2. ISMS references – what kind of sections/evidence you will collect for these legal requirements.
3. Stakeholder expectations – state in your own words, what your expectations are to that stakeholder and what they expect from you.
Examples of stakeholders:
- Employees – 1. labour laws, GDPR 2. HR Controcts templates, Code of Conduct, HW Security Rules etc. 3. we expect that employees comply with all ISMS policies and procedures and Employees expect to be informed what the rules of the organizations are.
- Partners (e.g. resellers) – 1. GDPR 2. Commercial Reseller Agreements 4. NDA’s
- External Audit party
Start at the beginning with listing and after implementation you can add more information on 2. ISMS references and 3. Stakeholder expectation.
With this overview you will explore and get more control of the context your organization is working in.
|Stakeholders||select from the drop down menu the stakeholder that applies to your organisation||Customers|
|Legal requirements||free text field||GDPR|
|Stakeholders expectations||free text field||For all End-Users (in and out of EU) there is expectation to follow the GDPR. There might be additional expectation of another privacy guidelines and regulation from customers from specific countries outside EU.|