INTERESTED PARTIES IN AN ISMS
Standard Definition of Interested Parties
The management framework for most ISO management system standards is now identical. All of them define an interested party (or stakeholder) as a person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity of the organization operating the management system.
The most interesting part of the standard wording is “perceive itself to be affected”. These entities can be internal or external parties, who are not directly affected by the operation of the organization but still worth considering since – being part of the context in which the organization is operating –they may have the power to influence the organization. Media can be a good example of this group, because they are able to influence real stakeholders, so communication with them is important.
Interested Parties in an ISMS
Let’s reduce the scope of our discussion to information security management systems, ISMS’s. Managers (at all levels) and/or the ISMS documentation are the effective sources of information on who the stakeholders of an ISMS are. If a manager is keeping contact with an entity (giving or receiving information) on the topic of information security or an organizational role is mentioned in the ISMS documentation, they are definitely interested parties.
Dividing stakeholders into internal (within the scope of the ISMS, like management, IT manager, CISO) and external (entities out of scope, like customers, authorities, society, workforce outside the ISMS scope) groups) simplifies the identification of the parties.
The Needs of Interested Parties
Requirements for controls applied by the organization for operation, products, or services may come from relevant interested parties. There can be many stakeholders with plenty of requirements. Take a practical approach when compiling these needs; the goal is not to have a comprehensive list but to list the most relevant ones. Interested parties may be grouped according to their importance. There are always stakeholders whose requirements must be observed and others whose needs should be taken into account.
Even the scope definition of the ISMS is influenced by interested parties. The mere existence of an ISMS preserves confidentiality, integrity, and availability of information and gives confidence to stakeholders that risks are adequately managed.
Expectations of interested parties are rarely independent: actions to address the needs and expectations of one interested party may benefit or be contrary to another one’s interest. It is not easy or sometimes not even possible to fully observe all relevant interests. This is where classification of interests and weighted compliance efforts come in handy, also considering that there is a price tag attached to every compliance effort.
Seeking compliance with the needs of interested parties may seem to be a general standard requirement that requires formal compliance but can become burning hot even during the establishment project or the ISMS operation if an important requirement is overlooked.
Managing Interested Parties
Once you have a list of the relevant stakeholder needs, you can put together a plan to manage them. An important tool is to set up a communication plan: who will communicate with whom, what and when. Communication can be uni- or bidirectional with given interested parties to affect and/or to be affected. The ISMS policy may include top management commitment to comply with certain needs that are considered strategic by the organization. In this case it is trivially in best interest of the organization to communicate the policy to those (or all) parties.
Implementing complex controls takes time, and, during that time, the level of risk can be higher than can be accepted on a long-term basis. Interested parties should be informed of the levels of risk that are estimated or anticipated at different points in time as controls are being implemented.
An organization needs not just to plan how to manage but also how to monitor the success of compliance efforts. ISO standards therefore require the management review to address feedback from stakeholders to give top management the opportunity to intervene.