Interested Parties & Legal Requirements
4.2 Understanding the needs and expectations of interested parties. The organisation shall determine:
a) interested parties that are relevant to the information security management system;
and
b) the requirements of these interested parties relevant to information security.
NOTE : The requirements of interested parties may include legal and regulatory requirements and contractual obligations.
This section needs to be aligned with the section Strategy & Ambition – Organisation & Context, where you have briefly defined your third parties involved with product & services. In this section you dive more deeply into legal requirements you’ll need to fulfil for your third parties and define the expectations on both sides.
The external auditor will expect that you’ve documented how you’ve established this process – you can refer to the Mandatory Topics Document where we have described the process.
List all your (external and internal) stakeholders. Per stakeholder, define if they require:
1. Legal requirements – these can be (industry) standards and regulations or perhaps – in contracts – you have defined certain obligations.
2. ISMS references – use this space to refer to any sections in Compleye Online that you use for evidence or activities that you have defined to meet the legal requirements.
3. Stakeholder expectations – state in your own words, what your expectations are of that stakeholder and what the stakeholder expects from you.
Examples of stakeholders:
Employees : Legal requirements: labour laws, GDPR ISMS References: HR Contracts templates, Code of Conduct, HW Security Rules etc. Stakeholder expectations: we expect that employees comply with all ISMS policies and procedures and employees expect to be informed of the organisation’s rules and if their personal data is safely stored according to GDPR rules.
Partners, e.g., resellers: Legal requirements: GDPR ISMS References: Commercial Reseller Agreements or controls that you have in place. Stakeholder expectations: have NDAs in place
- Suppliers
- Customers
- Regulator
- Investors
- External Audit party
Always start with listing all your stakeholders and defining the expectations. After implementation (closer to external audit) you can add more information on ISMS references.
We advise that you finalise this section just before the external audit, to be sure that it’s up to date.
With this overview you’ll explore and get more control of the context your organisation is working in and maybe even go back to Strategy & Ambition – Organisation & Context – to do another check.
| Field | Value/description | Example |
| Stakeholders | Select from the drop down menu the stakeholder that applies to your organisation | Customers |
| Legal requirements | Free text field | GDPR |
| ISMS Reference | Free text field | GDPR Assessment, Privacy Policy, Privacy Statement |
| Stakeholder expectations | Free text field | For all end-users (in and out of the EU) there is an expectation to follow the GDPR. There might be additional expectations of another privacy guideline and regulation from customers from specific countries outside EU. |
