ISO 27001 clause 4.2 Understanding the needs and expectations of interested parties

The basics

ISO 27001 sub-clause 4.2 is called “Understanding the needs and expectations of interested parties” — it requires the organization to assess who the interested parties are in terms of its ISMS (a), what their needs and expectations may be (b), which legal and regulatory requirements, as well as contractual obligations, are applicable (c), and consequently, if any of these should become compliance obligations.

These activities help determine the ISMS scope, applicability of controls, and how the controls are to be implemented.

Documentation

ISO 27001 clause 4.2 Understanding the needs and expectations of interested parties requires writing the following document:

• List of legal, regulatory, contractual, and other requirements

The following document is not mandatory; companies can decide whether to write it:

• Procedure for identification of requirements

Implementation

To comply with clause 4.2 Understanding the needs and expectations of interested parties, you need to list interested parties and their security requirements (i.e., to manage your compliance obligations or security expectations) – follow these steps:

1. Define who the interested parties are for your company (clause 4.2 a).
2. Define where to find the sources of requirements of those interested parties.
3. Go through all sources to find the security requirements (clause 4.2 b).
4. Define which security requirements will be addressed by the Information Security Management System (ISMS) (clause 4.2 c).
5. List interested parties and their requirements in the List of legal, regulatory, and contractual requirements.
6. Define who is responsible for complying with each requirement.

After this list is defined, each responsible person must define how to become compliant with the requirements he/she is responsible for.

Audit evidence

During the ISO 27001 certification audit, the auditor will ask you the following regarding clause 4.2:

1. To show the document – List of legal, regulatory, and contractual requirements.
2. If your List of legal, regulatory, and contractual requirements includes columns for interested parties and for requirements.
3. If you listed all relevant interested parties, and all of their security requirements.
4. If you implemented all those security requirements.