Understanding the Needs and Expectations of Interested Parties

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
listen to point to understanding that the needs and expectations off interested parties
00:10
in this lesson, we are still within close for and the overall exercise to understand the organization and its context.
00:17
This lesson is specific to sub clause 4.2.
00:21
Another item that must be considered relating to understanding the context of the organization
00:27
is understanding the needs and expectations of internal and external interested parties.
00:40
So
00:41
what is an interested party
00:45
if we look back at the important terms and definition section,
00:49
interested parties are defined as follows
00:52
person or organization that can affect be affected by
00:56
will perceive itself to be affected by a decision or activity,
01:00
interested parties or simply stakeholders,
01:04
which is any person that is directly or indirectly involved or affected by the implementation off a nice miss.
01:12
The needs and expectations of these stakeholders, which are both internal and external to the organization,
01:19
will help you identify the specific risks and controls that your ice miss needs to manage.
01:26
So a stakeholder can be
01:30
anyone that has direct or indirect involvement in the ice mess
01:36
stakeholders that will directly or indirectly gain some form of benefit from the ice mess.
01:42
Well stakeholders which directly or indirectly have requirements related to the security or protection off information within your organization.
01:53
Let's have a look at some examples off internal interested parties.
02:04
Identifying the interested parties from an internal as well as an external perspective is the first step.
02:08
It is then required to identify the requirements or expectations of these parties.
02:15
This can include risks posed by the parties or to the parties
02:19
or expectations off the parties. With regards to the ice Miss,
02:23
for example, clients with one piece of mind that their data being processed by you in due course of business is being processed correctly and complying with all the controls pertinent to each scenario.
02:36
Government and regulatory bodies, which would be external interested parties,
02:40
would want assurance that the organization is compliant to any relevant regulations in the specific industry
02:47
that the organization operates in
02:51
specifically relating to security, privacy and all business continuity.
02:57
The compliance and legal departments within a large organization are important for assisting in the identification of the needs and expectations of interested parties.
03:06
A large amount of needs and requirements come from understanding the specific regulatory or legal obligations the organization has to various stakeholders.
03:16
Internal interested parties can include your top or executive management.
03:21
They will obviously have a high interest in the ice mess.
03:24
They will be able to provide input into the ice mess in the form of budgetary and change support
03:30
shareholders or the business owners.
03:34
We'll have a vested interest.
03:36
They were one security in their investment and for their investment to yield a good return.
03:40
A nice mess is a mechanism to help manage information security
03:46
and therefore there will be a return.
03:49
Employees are also interested parties.
03:52
They will participate in the daily operation of the ice miss either indirectly or directly.
03:58
One of their requirements would be to understand the why behind what they are required to do to support the ice Amiss,
04:15
external interested parties
04:16
could be government agents or regulators.
04:19
Regulators would expect an organization to be compliant with various standards and guidelines that the regulating forces within a specific industry
04:29
in the finance industry. Specifically, there are often regulators there
04:33
pushing down different
04:36
forms off compliance that banks or other financial institutions need to comply with, especially with regards to information security.
04:46
These requirements and guidelines will often be big in nature, and just go to the extent that some form of management system
04:51
for information security needs to be in place
04:55
but won't really prescribe how this needs to be done. A nice amiss is one of the ways that this could be achieved.
05:02
Clients are informal oven external interested party,
05:06
especially ones dealing with your organization. They will expect your organization to enforce and comply with specific security clauses which may be included in contracts or laws.
05:17
Suppliers will form an extension of your organization and specific third party management requirements would need to be put in place and enforced by both parties to ensure information security standards are being upheld on both ends.
05:30
Media could also be considered an external interested party,
05:34
especially if you're in a large corporation.
05:38
When large organizations suffer a cybersecurity incident,
05:41
the media would one quick and accurate information pertaining to the information which can be publicly disclosed.
05:47
Having a proper communication plan off. Who in the media to contact who in the organization does the contacting
05:54
at what level of incident does contacting the media need to happen
05:59
and the level of information to be disclosed all requirements and organization. We need to have a non entity.
06:09
Having this
06:10
all thought out in a well defined communication strategy specific to security incidents would be one way to satisfy this requirement
06:16
if the media get their hands on information through accompanied league or through other means.
06:23
The image portrayed on the organization that suffered the breach is often worse than if the organization has a proactive strategy in place to manage public communications and updates related to a cybersecurity incident.
06:42
What is the documentation required for Clause 4.2,
06:46
Understanding the needs and expectations off internal and external stakeholders?
06:53
A list of stakeholders identified would be a good place to start knowing who your internal and external stakeholders or interested parties are.
07:01
For each of these document. The specific needs and requirements that you considered for each
07:08
also document the specific regulations, laws or contracts that were considered in relation to the interested parties.
07:15
It is also important to update this documentation on a regular basis either annually or when major changes occurred to the organization's environment.
07:26
Maintaining a history of these updates in any revisions to the stakeholder list
07:30
will demonstrate that you are maintaining this list and keeping abreast of any changes that may happen.
07:36
I continually factoring this into your ice Amis.
07:41
This is another way of demonstrating continual improvement.
07:46
The third item listed here is not specifically compulsory,
07:49
but I would recommend maintaining it in the interests of preserving a broader knowledge base and context for the ice mess.
07:57
It would also provide your orderto additional context during the orders as well as any team member that is involved in the maintenance off the ice mess.
08:13
To summarize
08:13
in this lesson 2.2,
08:16
we covered what interested parties are and why they must be considered in the context of your SMS.
08:24
We also looked at examples of internal and external interested parties.
08:31
Lastly, we covered the required documentation to be to be produced as output from this activity.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By