ISO 27001 Clause 4.2 requires you to identify the interested parties of your ISMS and document their information security requirements. This register is the tool for that job. It forces you to systematically record who has expectations of your ISMS — and what those expectations are.
What does it contain?
The CSV template includes columns for the key information Clause 4.2 requires:
- Interested party — who is placing the requirement? (e.g. customers, regulator, executive management, works council)
- Requirement — what is specifically expected? (e.g. 99.9% availability, annual SOC 2 report, GDPR compliance)
- Type — legal, contractual, regulatory, or implicit
- Relevance — how strongly does the requirement influence the ISMS?
- Measure — how is the requirement addressed? (reference to policy, control, process)
How to use the template
1. Identify interested parties. Start with the obvious groups: customers, regulators, executive management, employees, suppliers. Then expand: insurers, shareholders, industry associations, certification bodies. For each group, ask: do they have expectations regarding our organisation’s information security?
2. List requirements per party. A single party can have multiple requirements. A customer may simultaneously demand availability, confidentiality, and regular security reports. Each requirement gets its own row.
3. Assess relevance. Which requirements influence the scope, objectives, or risk acceptance criteria of your ISMS? This assessment is the core of Clause 4.2 — it determines what enters the scope and what stays out.
4. Establish links. Every relevant requirement should point to at least one measure: a policy, an Annex A control, or an operational process. Requirements without measures are open gaps.
5. Review annually. New customers, new contracts, new legislation — the requirements landscape changes. Schedule a review at least once a year, ideally before the management review.
| ID | Stakeholder | Bedürfnis | Abgeleitete Anforderung | Quelle | Priorität | Abgedeckt durch | Status | ||
|---|---|---|---|---|---|---|---|---|---|
| SR-001 | Kunden | Ihre Daten sind vertraulich und verfügbar | Verschlüsselung bei Übertragung und Speicherung; 99 | 5 % Verfügbarkeits-SLA | Kundenverträge | Hoch | Kryptographie-Richtlinie + BCM-Richtlinie | ||
| SR-002 | Kunden | Vorfallmeldung in angemessener Zeit | Breach-Meldung innerhalb 72 h an betroffene Kunden | Master Service Agreement | Hoch | Incident Response Plan | Abgedeckt | ||
| SR-003 | Geschäftsleitung | Regulatorische Compliance ohne Überraschungen | Quartalsweises Compliance-Dashboard + jährliches Management-Review | Unternehmensstrategie | Hoch | Management-Review-Verfahren | Abgedeckt | ||
| SR-004 | Mitarbeitende | Klare Regeln zur Nutzung von IT und Daten | Richtlinie zur akzeptablen Nutzung veröffentlicht und bestätigt | Betriebsvereinbarung | Mittel | Richtlinie zur akzeptablen Nutzung | Abgedeckt | ||
| SR-005 | Betriebsrat | Keine verdeckte Überwachung der Mitarbeitenden | Transparente Logging-Regeln und keine Verhaltensprofile | Betriebsvereinbarung 2024 | Hoch | AUP Abschnitt 7 | Abgedeckt | ||
| SR-006 | BfDI (DSGVO-Aufsichtsbehörde) | Rechtmäßige Verarbeitung personenbezogener Daten | Verarbeitungsverzeichnis | DSFA-Verfahren | Breach-Meldung | DSGVO Art. 5 30 33 35 | Hoch | ||
| SR-007 | BSI (NIS2-Behörde) | Frühwarnung innerhalb 24 h bei erheblichen Vorfällen | 24-h-Frühwarnung + 72-h-Vorfallmeldung | NIS2 Art. 23 | Hoch | Incident Response Plan | Abgedeckt | ||
| SR-008 | Lieferanten | Klare vertragliche Sicherheitspflichten | Sicherheitsklauseln in Lieferantenverträgen | Lieferanten-Sicherheitsrichtlinie | Mittel | Lieferanten-Sicherheitsrichtlinie | Abgedeckt | ||
| SR-009 | Auditoren | Zeitnaher Zugriff auf Nachweise | Nachweis-Repository je ISO-Klausel | ISO 27001 Auditplan | Mittel | Dokumentenlenkungs-Verfahren | Abgedeckt | ||
| SR-010 | Versicherung | Nachweisbare Basis-Kontrollen | Jährliche Kontrollbestätigung | Cyber-Police 2026 | Mittel | SoA + Management-Review | Abgedeckt | ||
| SR-011 | Betroffene Personen | Ausübung ihrer DSGVO-Rechte | Prozess für Betroffenenanfragen innerhalb 30 Tagen | DSGVO Art. 15-22 | Hoch | DSB-Verfahren für Betroffenenanfragen | Abgedeckt | ||
| SR-012 | Presse | Sachliche Informationen während Vorfällen | Vorab genehmigtes Holding Statement | Krisenkommunikations-Richtlinie | Niedrig | Krisenkommunikations-Template | Abgedeckt |
| ID | Stakeholder | Need | Derived Requirement | Source | Priority | Covered By | Status | ||
|---|---|---|---|---|---|---|---|---|---|
| SR-001 | Customers | Their data is confidential and available | Encryption in transit and at rest; 99.5% availability SLA | Customer contracts | High | Cryptography Policy + BCM Policy | Covered | ||
| SR-002 | Customers | Breach notification within reasonable time | Breach notification within 72h to affected customers | Master services agreement | High | Incident Response Plan | Covered | ||
| SR-003 | Top Management | Regulatory compliance without surprises | Quarterly compliance dashboard + annual management review | Company strategy | High | Management review procedure | Covered | ||
| SR-004 | Employees | Clear rules for using IT equipment and data | Acceptable Use Policy published and acknowledged | Works council agreement | Medium | Acceptable Use Policy | Covered | ||
| SR-005 | Works council | No covert monitoring of employees | Transparent logging rules and no behaviour profiling | Works council agreement 2024 | High | Acceptable Use Policy section 7 | Covered | ||
| SR-006 | BfDI (GDPR regulator) | Lawful processing of personal data | RoPA | DPIA process | breach notification process | GDPR Art. 5 30 33 35 | High | ||
| SR-007 | BSI (NIS2 authority) | Early warning within 24h of significant incidents | 24h early warning + 72h incident notification | NIS2 Art. 23 | High | Incident Response Plan | Covered | ||
| SR-008 | Suppliers | Clear contractual security obligations | Supplier security clauses in contracts | Supplier Security Policy | Medium | Supplier Security Policy | Covered | ||
| SR-009 | Auditors | Timely access to evidence | Evidence repository per ISO clause | ISO 27001 audit plan | Medium | Document control process | Covered | ||
| SR-010 | Insurance | Demonstrable baseline controls | Annual controls attestation | Cyber policy 2026 | Medium | SoA + management review | Covered | ||
| SR-011 | Data subjects | Exercise their GDPR rights | Process for subject access requests within 30 days | GDPR Art. 15-22 | High | DPO SAR procedure | Covered | ||
| SR-012 | Press | Factual information during incidents | Pre-approved holding statement | Crisis comms policy | Low | Crisis communication template | Covered |
Sources
- ISO/IEC 27001:2022 Clause 4.2 — Understanding the needs and expectations of interested parties
- ISO/IEC 27001:2022 Clause 4.3 — Determining the scope of the ISMS