listen to point to understanding that the needs and expectations off interested parties
in this lesson, we are still within close for and the overall exercise to understand the organization and its context.
This lesson is specific to sub clause 4.2.
Another item that must be considered relating to understanding the context of the organization
is understanding the needs and expectations of internal and external interested parties.
what is an interested party
if we look back at the important terms and definition section,
interested parties are defined as follows
person or organization that can affect be affected by
will perceive itself to be affected by a decision or activity,
interested parties or simply stakeholders,
which is any person that is directly or indirectly involved or affected by the implementation off a nice miss.
The needs and expectations of these stakeholders, which are both internal and external to the organization,
will help you identify the specific risks and controls that your ice miss needs to manage.
So a stakeholder can be
anyone that has direct or indirect involvement in the ice mess
stakeholders that will directly or indirectly gain some form of benefit from the ice mess.
Well stakeholders which directly or indirectly have requirements related to the security or protection off information within your organization.
Let's have a look at some examples off internal interested parties.
Identifying the interested parties from an internal as well as an external perspective is the first step.
It is then required to identify the requirements or expectations of these parties.
This can include risks posed by the parties or to the parties
or expectations off the parties. With regards to the ice Miss,
for example, clients with one piece of mind that their data being processed by you in due course of business is being processed correctly and complying with all the controls pertinent to each scenario.
Government and regulatory bodies, which would be external interested parties,
would want assurance that the organization is compliant to any relevant regulations in the specific industry
that the organization operates in
specifically relating to security, privacy and all business continuity.
The compliance and legal departments within a large organization are important for assisting in the identification of the needs and expectations of interested parties.
A large amount of needs and requirements come from understanding the specific regulatory or legal obligations the organization has to various stakeholders.
Internal interested parties can include your top or executive management.
They will obviously have a high interest in the ice mess.
They will be able to provide input into the ice mess in the form of budgetary and change support
shareholders or the business owners.
We'll have a vested interest.
They were one security in their investment and for their investment to yield a good return.
A nice mess is a mechanism to help manage information security
and therefore there will be a return.
Employees are also interested parties.
They will participate in the daily operation of the ice miss either indirectly or directly.
One of their requirements would be to understand the why behind what they are required to do to support the ice Amiss,
external interested parties
could be government agents or regulators.
Regulators would expect an organization to be compliant with various standards and guidelines that the regulating forces within a specific industry
in the finance industry. Specifically, there are often regulators there
pushing down different
forms off compliance that banks or other financial institutions need to comply with, especially with regards to information security.
These requirements and guidelines will often be big in nature, and just go to the extent that some form of management system
for information security needs to be in place
but won't really prescribe how this needs to be done. A nice amiss is one of the ways that this could be achieved.
Clients are informal oven external interested party,
especially ones dealing with your organization. They will expect your organization to enforce and comply with specific security clauses which may be included in contracts or laws.
Suppliers will form an extension of your organization and specific third party management requirements would need to be put in place and enforced by both parties to ensure information security standards are being upheld on both ends.
Media could also be considered an external interested party,
especially if you're in a large corporation.
When large organizations suffer a cybersecurity incident,
the media would one quick and accurate information pertaining to the information which can be publicly disclosed.
Having a proper communication plan off. Who in the media to contact who in the organization does the contacting
at what level of incident does contacting the media need to happen
and the level of information to be disclosed all requirements and organization. We need to have a non entity.
all thought out in a well defined communication strategy specific to security incidents would be one way to satisfy this requirement
if the media get their hands on information through accompanied league or through other means.
The image portrayed on the organization that suffered the breach is often worse than if the organization has a proactive strategy in place to manage public communications and updates related to a cybersecurity incident.
What is the documentation required for Clause 4.2,
Understanding the needs and expectations off internal and external stakeholders?
A list of stakeholders identified would be a good place to start knowing who your internal and external stakeholders or interested parties are.
For each of these document. The specific needs and requirements that you considered for each
also document the specific regulations, laws or contracts that were considered in relation to the interested parties.
It is also important to update this documentation on a regular basis either annually or when major changes occurred to the organization's environment.
Maintaining a history of these updates in any revisions to the stakeholder list
will demonstrate that you are maintaining this list and keeping abreast of any changes that may happen.
I continually factoring this into your ice Amis.
This is another way of demonstrating continual improvement.
The third item listed here is not specifically compulsory,
but I would recommend maintaining it in the interests of preserving a broader knowledge base and context for the ice mess.
It would also provide your orderto additional context during the orders as well as any team member that is involved in the maintenance off the ice mess.
we covered what interested parties are and why they must be considered in the context of your SMS.
We also looked at examples of internal and external interested parties.
Lastly, we covered the required documentation to be to be produced as output from this activity.