ISO 27001 Clause 4.2 & 4.4 Implementation Guideline

The article will clarify this concept in more detail.

Clause 4.2 Understanding the needs and expectations of interested parties

Required activity

An organization identifies the relevant parties to the ISMS and their requirements concerning information security.


Persons or organizations who will be impacted by a choice or activity the organization makes, are suffering from it, or perceive themselves to be suffering from it, maybe defined as interested parties. Outside and inside the organization, interested parties have specific needs, expectations, and requirements that may affect the organization’s information security.

External interested parties may include:

1. Legislators and regulators;
2. Shareholders; both owners and investors;
3. Third-party providers, including subcontractors, consultants, and other outsourcing partners;
4. Associations of industry;
5. Your competitors;
6. Clients and consumers;
7. Members of activist groups.

Internal interested parties may include:

1. Top management and decision-makers;
2. The people responsible for running processes, systems, and knowledge;
3. Support services such as IT and HR;
4. Employees and users of the system;
5. Information security experts.

Guidance on implementation

Following are the steps to be taken:

– Develop a list of external interested parties;
– Identification of internal interested parties;
– Determine what stakeholders need.

It is essential to regularly evaluate the scope, constraints, and requirements of the ISMS as the needs, expectations, and requirements of interested parties change over time.
A documented report on this activity and its results are mandatory if the organization determines that it is necessary for the efficiency of the management system.

Clause 4.4 Information security management system

Required activity

A system of internal control is established, implemented, maintained, and continuously improved within an organization.


The ISO/IEC 27001:2013, 4.4 specifies the requirements for establishing, implementing, maintaining, and continuously improving an ISMS. While the other parts of ISO/IEC 27001 describe the specific elements of an ISMS, ISO/IEC 27001 4.4 is mandated for the organization to ensure that all requirements are met so the ISMS can be determined, implemented, maintained, and improved.

Related Question

1. Discuss ISO 27001 Clause 4.2 & 4.4 Implementation Guideline

About Author /

Start typing and press Enter to search