How to identify ISMS requirements of interested parties in ISO 27001

“If you do not know where you’re going, you’re unlikely to end there.” This saying from the title character in the movie Forrest Gump describes perfectly why many projects fail: lack of clear requirements.

Definition of requirements is so important that, since 2012, all published ISO management systems standards, including ISO 27001, explicitly require organizations to determine requirements of interested parties relevant to the management system’s scope.

This article will present a plain definition of requirements, and some methods for gathering information necessary to identify them in an Information Security Management System (ISMS) implementation project based on the ISO 27001 standard.

What are requirements?

Simply speaking, requirements are statements with clear information about what something should do or how it should behave, used to express someone’s needs and expectations in a way that makes it easier to understand for those who are trying to fulfill them.

Consider someone who goes to a restaurant for lunch. His need (what is explicit) is to feed himself, and his expectation (what is implicit) is to eat a delicious meal. By reading the menu, or consulting the waiter, that person chooses a plate; i.e., he defines his requirements, providing information in a way the cook can understand about how his meal must be prepared (e.g., ingredients, type of meat, beverage, etc.).

Now, change this scenario to an ISO 27001 context. People involved with the meal (the customer, waiter, and cook) would be people involved with the ISMS (e.g., customer, top management, suppliers, etc.), all called “interested parties,” who also should be properly identified according the standard. For more information, see: How to identify interested parties according to ISO 27001 and ISO 22301.

Similar to the situation where the customer at the restaurant has his needs and expectations, you could have customers of an ecommerce site who:

• need to protect their information
• expect not to pay more for protecting it

Top management of this web site business then could define requirements to be fulfilled in terms of:

• security levels for its services, like “Implementation of access control on the organization’s ecommerce site”
• conditions to reduce costs, such as “Minimization of systems’ downtime related to information security incidents by yy%”

The requirement about access control implementation is related to customers’ need to protect information, while the requirement about the systems’ downtime minimization is related to their expectation to not pay more for protection, because with less downtime, the organization can have a more profitable operation and avoid charging more of the customer for additional security.

Other requirements relevant for ISMS implementation are those established by:

• The standard itself. These are simpler to identify (all statements that contains the word “shall” are requirements). For more information, see this List of mandatory documents required by ISO 27001 (2013 revision).
• Legal requirements. For more information, see: Laws and regulations on information security and business continuity.

For a successful ISMS, the project team has to understand interested parties, the standard, and legal requirements.

Why are requirements so important?

Requirements are important because they influence many aspects of the ISMS, such as:

• ISMS scope. For more information, see: How to define the ISMS scope.
• Security objectives to be set and controls to be implemented. For more information, see: ISO 27001 control objectives – Why are they important?
• How performance should be evaluated. For more information, see: How to perform monitoring and measurement in ISO 27001.

Requirements identification methods

As stated previously, requirements identification starts with the identification of needs and expectations of interested parties, and commonly used data-gathering methods for collecting this kind of information include:

Questionnaires: A set of written questions applied to a sample population of users.

Interviews: A series of questions asked personally to the interested party. For more information, see: Which questions will the ISO 27001 certification auditor ask?

Workshops or focus groups: When you bring together a cross-section of interested parties to discuss an issue in a group format.

Observation: Simply looking at how things are done, which resources are used, by whom, etc.

Studying documentation: Reviewing current process documentation and other relevant documents, like legal and regulatory requirements, and contractual obligations.

Selecting identification methods

When choosing a data-gathering method, you should consider these criteria:

• If you need information from potential users with different views of the ISMS, a workshop or focus group would be recommended.
• If you need specific information and to explore issues (e.g., attitudes toward the new system) of an interested party like a key user, process expert, or top management personnel, you can use interviews. If the number of people is too high, applying a questionnaire will save you time (with the disadvantage of the loss of personal interaction). Open-ended questions generally help in obtaining valuable information for both methods.
• By using observation, you can get an independent perception of what already exists and what is missing. Observation is particularly good to apply on running environments.
• By studying documentation, you can learn about procedures, regulations, and standards that must be followed.

If you note, for each data-gathering scenario there is a more appropriate method to apply, but a combination of all of them surely will provide you with a better perspective of needs and expectations that can be translated later into requirements for your ISMS.

A useful ISMS starts with well-identified interested parties’ requirements

Including the requirement of interested parties in the 2013 revision of ISO 27001 was one of its greatest improvements over the previous 2005 revision, because while risk assessment provides the main support for protecting the ISMS scope, clearly understanding what the ISMS should do and how it should behave regarding interested parties’ needs and expectations is absolutely critical to defining the system’s scope, security objectives, and performance evaluation, and thereby ensuring the success of information security.

By applying proper data-gathering methods, an organization can systematically understand its interested parties and their needs and expectations, and translate those into proper measurable requirements with sufficient details so they can drive the ISMS conception, implementation, operation, and improvement toward the desired outcomes with optimized costs and risks.

Learn more about identification of requirements of interested parties in this free online training:  ISO 27001 Foundations Online Course.